gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-17 15:21:52 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
View File

@@ -6,103 +6,99 @@
## VCS
VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
VCS inamaanisha **Mfumo wa Kudhibiti Toleo**, mifumo hii inaruhusu waendelezaji **kusimamia msimbo wao wa chanzo**. Mmoja wa kawaida ni **git** na kawaida utaona kampuni zikilitumia katika moja ya **majukwaa** yafuatayo:
- Github
- Gitlab
- Bitbucket
- Gitea
- Cloud providers (they offer their own VCS platforms)
- Watoa huduma wa wingu (wanatoa majukwaa yao ya VCS)
## CI/CD Pipelines
CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
Pipelines za CI/CD zinawawezesha waendelezaji **kujiandaa kutekeleza msimbo** kwa madhumuni mbalimbali, ikiwa ni pamoja na kujenga, kujaribu, na kupeleka programu. Mifumo hii ya kiotomatiki **inasababishwa na vitendo maalum**, kama vile kusukuma msimbo, maombi ya kuvuta, au kazi zilizopangwa. Zinasaidia katika kuboresha mchakato kutoka kwa maendeleo hadi uzalishaji.
However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
Hata hivyo, mifumo hii inahitaji **kutekelezwa mahali fulani** na kawaida kwa **akidi za kibali ili kupeleka msimbo au kufikia taarifa nyeti**.
## VCS Pentesting Methodology
> [!NOTE]
> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
> Hata kama baadhi ya majukwaa ya VCS yanaruhusu kuunda pipelines kwa sehemu hii tutachambua tu mashambulizi yanayoweza kutokea kwenye udhibiti wa msimbo wa chanzo.
Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
Majukwaa yanayoshikilia msimbo wa mradi wako yana taarifa nyeti na watu wanahitaji kuwa makini sana na ruhusa zinazotolewa ndani ya jukwaa hili. Haya ni baadhi ya matatizo ya kawaida katika majukwaa ya VCS ambayo mshambuliaji anaweza kuyatumia:
- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
- **Register**: Some platforms will just allow external users to create an account.
- **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
- **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
- If no secret is in place, the attacker could abuse the webhook of the third party platform
- If the secret is in the URL, the same happens and the attacker also have the secret
- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
- Compromise the main branch to **compromise production**.
- Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
- **Compromise the pipeline** (check next section)
- **Leaks**: Ikiwa msimbo wako una leaks katika commits na mshambuliaji anaweza kufikia repo (kwa sababu ni ya umma au kwa sababu ana ufikiaji), anaweza kugundua leaks.
- **Access**: Ikiwa mshambuliaji anaweza **kufikia akaunti ndani ya jukwaa la VCS** anaweza kupata **nadharia zaidi na ruhusa**.
- **Register**: Baadhi ya majukwaa yataruhusu tu watumiaji wa nje kuunda akaunti.
- **SSO**: Baadhi ya majukwaa hayataruhusu watumiaji kujiandikisha, lakini yataruhusu mtu yeyote kufikia kwa SSO halali (hivyo mshambuliaji anaweza kutumia akaunti yake ya github kuingia kwa mfano).
- **Credentials**: Jina la mtumiaji + Pwd, alama za kibinafsi, funguo za ssh, alama za Oauth, cookies... kuna aina kadhaa za alama ambazo mtumiaji anaweza kuiba ili kufikia kwa njia fulani repo.
- **Webhooks**: Majukwaa ya VCS yanaruhusu kuunda webhooks. Ikiwa hazijalindwa na siri zisizoonekana, **mshambuliaji anaweza kuzitumia vibaya**.
- Ikiwa hakuna siri iliyowekwa, mshambuliaji anaweza kuzitumia vibaya webhook ya jukwaa la tatu
- Ikiwa siri iko katika URL, jambo hilo linaweza kutokea na mshambuliaji pia ana siri hiyo
- **Code compromise:** Ikiwa mhusika mbaya ana aina fulani ya **kuandika** ufikiaji juu ya repos, anaweza kujaribu **kuiingiza msimbo mbaya**. Ili kufanikiwa anaweza kuhitaji **kuzidi ulinzi wa tawi**. Vitendo hivi vinaweza kufanywa kwa malengo tofauti akilini:
- Kuathiri tawi kuu ili **kuathiri uzalishaji**.
- Kuathiri tawi kuu (au matawi mengine) ili **kuathiri mashine za waendelezaji** (kama kawaida wanatekeleza majaribio, terraform au mambo mengine ndani ya repo kwenye mashine zao).
- **Kuathiri pipeline** (angalia sehemu inayofuata)
## Pipelines Pentesting Methodology
The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
Njia ya kawaida zaidi ya kufafanua pipeline, ni kwa kutumia **faili ya usanidi wa CI iliyohifadhiwa katika hazina** ambayo pipeline inajenga. Faili hii inaelezea mpangilio wa kazi zinazotekelezwa, masharti yanayoathiri mtiririko, na mipangilio ya mazingira ya kujenga.\
Faili hizi kwa kawaida zina jina na muundo wa kawaida, kwa mfano — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), na faili za YAML za GitHub Actions zilizo chini ya .github/workflows. Wakati inasababishwa, kazi ya pipeline **inasukuma msimbo** kutoka chanzo kilichochaguliwa (k.m. commit / branch), na **inaendesha amri zilizotajwa katika faili ya usanidi wa CI** dhidi ya msimbo huo.
Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
Kwa hivyo lengo kuu la mshambuliaji ni kwa namna fulani **kuathiri faili hizo za usanidi** au **amri wanazotekeleza**.
### PPE - Poisoned Pipeline Execution
The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
Njia ya Poisoned Pipeline Execution (PPE) inatumia ruhusa katika hazina ya SCM ili manipulative pipeline ya CI na kutekeleza amri hatari. Watumiaji wenye ruhusa zinazohitajika wanaweza kubadilisha faili za usanidi wa CI au faili nyingine zinazotumiwa na kazi ya pipeline ili kujumuisha amri mbaya. Hii "ina sumu" pipeline ya CI, ikisababisha kutekelezwa kwa amri hizi mbaya.
For a malicious actor to be successful performing a PPE attack he needs to be able to:
Ili mhusika mbaya afanikiwe kufanya shambulio la PPE anahitaji kuwa na uwezo wa:
- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
- Note that sometimes an **external PR count as "write access"**.
- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
- For this, he might need to be able to **bypass branch protections**.
- Kuwa na **ufikiaji wa kuandika kwenye jukwaa la VCS**, kwani kawaida pipelines husababishwa wakati kusukuma au ombi la kuvuta linafanywa. (Angalia mbinu za pentesting za VCS kwa muhtasari wa njia za kupata ufikiaji).
- Kumbuka kwamba wakati mwingine **PR ya nje inachukuliwa kama "ufikiaji wa kuandika"**.
- Hata kama ana ruhusa za kuandika, anahitaji kuwa na uhakika anaweza **kubadilisha faili ya usanidi wa CI au faili nyingine ambazo usanidi unategemea**.
- Kwa hili, anaweza kuhitaji kuwa na uwezo wa **kuzidi ulinzi wa tawi**.
There are 3 PPE flavours:
Kuna ladha 3 za PPE:
- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
- **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
- **D-PPE**: Shambulio la **Direct PPE** linatokea wakati mhusika **anabadilisha faili ya usanidi wa CI** ambayo itatekelezwa.
- **I-DDE**: Shambulio la **Indirect PPE** linatokea wakati mhusika **anabadilisha** **faili** ambayo faili ya usanidi wa CI ambayo itatekelezwa **inategemea** (kama faili ya kutengeneza au usanidi wa terraform).
- **Public PPE au 3PE**: Katika baadhi ya matukio pipelines zinaweza **kusababishwa na watumiaji ambao hawana ufikiaji wa kuandika katika repo** (na ambao huenda hata si sehemu ya shirika) kwa sababu wanaweza kutuma PR.
- **3PE Command Injection**: Kawaida, pipelines za CI/CD zitakuwa **kuziseti mazingira ya mabadiliko** na **taarifa kuhusu PR**. Ikiwa thamani hiyo inaweza kudhibitiwa na mshambuliaji (kama kichwa cha PR) na inatumika katika **mahali hatari** (kama kutekeleza **amri za sh**), mshambuliaji anaweza **kuingiza amri hapo**.
### Exploitation Benefits
Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
Kujua ladha 3 za kuathiri pipeline, hebu tuangalie ni nini mshambuliaji anaweza kupata baada ya uhalifu wa mafanikio:
- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
- Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
- **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
- **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
- **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
- **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
- **Secrets**: Kama ilivyotajwa hapo awali, pipelines zinahitaji **privileges** kwa kazi zao (kurejesha msimbo, kuujenga, kupeleka...) na ruhusa hizi kwa kawaida **zinatolewa katika siri**. Siri hizi kwa kawaida zinapatikana kupitia **mabadiliko ya mazingira au faili ndani ya mfumo**. Kwa hivyo mshambuliaji daima atajaribu kuhamasisha siri nyingi kadri iwezekanavyo.
- Kulingana na jukwaa la pipeline mshambuliaji **anaweza kuhitaji kutaja siri katika usanidi**. Hii inamaanisha kwamba ikiwa mshambuliaji cannot kubadilisha usanidi wa pipeline ya CI (**I-PPE** kwa mfano), anaweza **tu kuhamasisha siri ambazo pipeline hiyo ina**.
- **Computation**: Msimbo unatekelezwa mahali fulani, kulingana na mahali unatekelezwa mshambuliaji anaweza kuwa na uwezo wa pivot zaidi.
- **On-Premises**: Ikiwa pipelines zinafanywa kwenye premises, mshambuliaji anaweza kumaliza katika **mtandao wa ndani wenye ufikiaji wa rasilimali zaidi**.
- **Cloud**: Mshambuliaji anaweza kufikia **mashine nyingine katika wingu** lakini pia anaweza **kuhamasisha** alama za IAM/akaunti za huduma **tokens** kutoka kwake ili kupata **ufikiaji zaidi ndani ya wingu**.
- **Platforms machine**: Wakati mwingine kazi zitatekelezwa ndani ya **mashine za jukwaa la pipelines**, ambazo kawaida ziko ndani ya wingu bila **ufikiaji zaidi**.
- **Select it:** Wakati mwingine **jukwaa la pipelines litakuwa limepanga mashine kadhaa** na ikiwa unaweza **kubadilisha faili ya usanidi wa CI** unaweza **kuonyesha wapi unataka kutekeleza msimbo mbaya**. Katika hali hii, mshambuliaji labda atatekeleza shell ya kurudi kwenye kila mashine inayowezekana kujaribu kuifanyia kazi zaidi.
- **Compromise production**: Ikiwa uko ndani ya pipeline na toleo la mwisho linajengwa na kupelekwa kutoka kwake, unaweza **kuathiri msimbo ambao utaishia kutekelezwa katika uzalishaji**.
## More relevant info
### Tools & CIS Benchmark
- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) ni zana ya chanzo wazi kwa ajili ya kukagua mnyororo wa usambazaji wa programu yako kwa ajili ya kufuata usalama kulingana na [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). Ukaguzi unalenga mchakato mzima wa SDLC, ambapo unaweza kufichua hatari kutoka wakati wa msimbo hadi wakati wa kupeleka.
### Top 10 CI/CD Security Risk
Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
Angalia makala hii ya kuvutia kuhusu hatari 10 bora za CI/CD kulingana na Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
### Labs
- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
- Kwenye kila jukwaa ambalo unaweza kukimbia kwa ndani utapata jinsi ya kulizindua ndani ili uweze kulipanga kama unavyotaka kulijaribu
- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
### Automatic Tools
- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** ni zana ya uchambuzi wa msimbo wa statiki kwa ajili ya miundombinu kama msimbo.
## References
- [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
{{#include ../banners/hacktricks-training.md}}