gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-09 11:44:59 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
08bb01e0931ee6dadfca3ef36f12859f1ea15430
hacktricks-cloud/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

100 lines
6.0 KiB
Markdown
Raw Blame History

# AWS - Codestar Privesc
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Codestar
You can find more information about codestar in:
{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
{% endcontent-ref %}
### `iam:PassRole`, `codestar:CreateProject`
With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:
{% content-ref url="iam-passrole-codestar-createproject.md" %}
[iam-passrole-codestar-createproject.md](iam-passrole-codestar-createproject.md)
{% endcontent-ref %}
### `codestar:CreateProject`, `codestar:AssociateTeamMember`
This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.
```bash
PROJECT_NAME="supercodestar"
aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
--name $PROJECT_NAME \
--id $PROJECT_NAME
echo "Waiting 1min to start the project"
sleep 60
USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
--project-id $PROJECT_NAME \
--user-arn "$USER_ARN" \
--project-role "Owner" \
--remote-access-allowed
```
If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`
**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:
{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
{% endcontent-ref %}
### `codestar:CreateProjectFromTemplate`
1. **Create a New Project:**
* Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
* Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
* This access specifically targets a stack associated with the `CodeStarWorker-<generic project name>-CloudFormation` IAM role.
2. **Update the Target Stack:**
* With the granted CloudFormation permissions, proceed to update the specified stack.
* The stack's name will typically conform to one of two patterns:
* `awscodestar-<generic project name>-infrastructure`
* `awscodestar-<generic project name>-lambda`
* The exact name depends on the chosen template (referencing the example exploit script).
3. **Access and Permissions:**
* Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
* Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar\_createprojectfromtemplate\_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
**Potential Impact:** Privesc to cloudformation IAM role.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink